You cannot use an IIS-generated self-signed certificate to load access logs over SSL because the certificate that IIS creates is not complete. As a security device, the ProxySG appliance will not accept an incomplete certificate.
Workaround: Create a self-signed certificate using OpenSSL and import it into IIS. Here are the steps:
- Generate the private key on the Linux/Unix/Cygwin host:
openssl genrsa -des3 -out ftpvm.key 1024.
- Generate a CSR: >
openssl req -new -key ftpvm.key -out ftpvm.csr
- Remove Passphrase from Key. One side-effect of the pass-phrased private key is that
ftpvm will ask for the pass-phrase each time the FTP server is started.:
> openssl rsa -in ftpvm.key.org-out ftpvm.key
- Generating a Self-Signed Certificate:
> openssl x509 -req -days 365 -in ftpvm.csr -signkey ftpvm.key -out ftpvm.crt
- With the above key material create a .pfx file using converter at: https://www.sslshopper.com/ssl-converter.html
- Import the certificate into IIS 7.5: >IIS manager > Machine name > IIS > Server Certificates > import
- For the FTP site, set the FTP SSL Settings to use this imported cert.
- The cert CN name MUST match the primary FTP server name in the access log client configuration.
- This same certificate, as created above, must be imported into CA certificate list, and put into browser trusted in the ProxySG.
For more information see: