Configure ProFTPD to Use SSL/TLS Certificates on Ubuntu 17.04 | 17.10

telework 5059653 640

Few days ago we showed you how to install ProFTPD on Ubuntu 17.04 | 17.10. Today’s post is going to show students and new users how to configure ProFTPD to transfer files securely between the FTP client and the FTP server using SSL/TLS certificates.

ProFTPD is easy to setup and configure. You can get it stalled and going in minutes. However, if you want to protect sensitive information being transferred between the FTP client and server, you may want to enable SSL/TLS protocols.

When you enable SSL/TLS, your data will travel encrypted and authenticated. Even when the data is intercepted, the interceptors may still not be able to view of read the content. This is what SSL/TLS provides.

If you need to configure ProFTPD to communicate over SSL/TLS, follow the steps below.

Before continue with generating a SSL/TLS certificate, please make sure that you’ve read our previous post on installing ProFTPD. Read the post below before continuing with configuring ProFTPD with SSL/TLS.

Click the link below to read this post first, before going any further:

Now you can continue with obtaining a SSL/TLS certificate.

Step 1: Configure ProFTPD to use SSL/TLS

To protect the ProFTPD server and transfer data over SSL/TLS, you must obtain a SSL/TLS certificate. You can get a trusted certificate from a certificate authority or create a self-signed one.

The self-signed certificate may only be used internally. You can use it externally, but your customers won’t feel safe when connecting to your servers using self-signed certificates.

To create a self-signed certificate valid for one year, run the commands below.

sudo bash
cd /etc/ssl/private
openssl req -x509 -nodes -newkey rsa:2048 -keyout proftpdServerkey.pem -out proftpdCertificate.pem -days 365

After running the commands above, you should be prompted to incorporate other details into the certificate. Use the Guide below to answer the questions.

writing new private key to 'proftpdServerkey.pem'
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:Brooklyn
Organization Name (eg, company) [Internet Widgits Pty Ltd]:My Lab
Organizational Unit Name (eg, section) []:Lab
Common Name (e.g. server FQDN or YOUR name) []
Email Address []:

After that, a new server private key (proftpdServer.key) and server certificates (proftpdCertificate)  should be created and stored in the /etc/ssl/private directory.

Step 2: Configure ProFTPD with SSL/TLS

Now that you’ve obtained a SSL/TLS certificate, run the commands below to open ProFTPD default tls configuration file.

sudo nano /etc/proftpd/tls.conf

Then add the highlighted lines in the file and save.

# Proftpd sample configuration for FTPS connections.
# Note that FTPS impose some limitations in NAT traversing.
# See
# for more information.

TLSEngine                    on
TLSLog                       /var/log/proftpd/tls.log
TLSProtocol                  TLSv1.2
# Server SSL certificate. You can generate a self-signed certificate using
# a command like:
# openssl req -x509 -newkey rsa:1024 \
#          -keyout /etc/ssl/private/proftpd.key -out /etc/ssl/certs/proftpd.crt \
#          -nodes -days 365
# The proftpd.key file must be readable by root only. The other file can be
# readable by anyone.
# chmod 0600 /etc/ssl/private/proftpd.key
# chmod 0640 /etc/ssl/private/proftpd.key
TLSRSACertificateFile                /etc/ssl/private/proftpdCertificate.pem
TLSRSACertificateKeyFile             /etc/ssl/private/proftpdServerkey.pem
# CA the server trusts.
#TLSCACertificateFile                /etc/ssl/certs/CA.pem
# .or avoid CA cert and be verbose
#TLSOptions           NoCertRequest EnableDiags
# . or the same with relaxed session use for some clients (e.g. FireFtp)
#TLSOptions           NoCertRequest EnableDiags NoSessionReuseRequired
# Per default drop connection if client tries to start a renegotiate
# This is a fix for CVE-2009-3555 but could break some clients.
#TLSOptions             AllowClientRenegotiations
# Authenticate clients that want to use FTP over TLS?
#TLSVerifyClient               off
# Are clients required to use FTP over TLS when talking to this server?
TLSRequired                    on

Save the file when you’re done.

Then open ProFTPD default configuration file and comment out this line to include the tls.conf configurations.

sudo nano /etc/proftpd/proftpd.conf

Comment out the highlighted line in the file and save.

# This is used for FTPS connections
Include /etc/proftpd/tls.conf

Save the /etc/proftpd/proftpd.conf file and close out.

Step 3: Restart ProFTPD

After configuring the server, run the commands below to restart the service.

sudo systemctl restart proftpd

After that, open your favorite FTP client and connect with the settings in the image below:

vsftpd ssl connection

Connect and you should get a prompt to trust the certificate.

vsftpd ubuntu ssl

Access should be granted after.

vsftpd ssl tle ubuntu setup


You may also like the post below:


  1. This article is amazingly clear and simple to follow. The time taken to write it is worth every second of it. Thank you so much .

  2. Thank you 😀
    Simple and clear.
    Nice job

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.