Client SSL Certificate Authentication
Cerberus FTP Server can be configured to require clients to verify themselves using digital certificates. When given a Certificate Authority (CA) certificate list, Cerberus will verify that the client certificate is signed and valid for the given Certificate Authorities. Cerberus will also make sure that the certificate hasn't been revoked if a CRL is specified. This feature is only available in Cerberus FTP Server Professional and Enterprise editions and currently only applies to FTPS, FTPES, and HTTPS connections.
How Client Certificate Verification Works
If Cerberus is configured to require a certificate from the client then Cerberus will require a client certificate and verify that the certificate presented by the client is signed by a trusted CA and valid. It will compare the certificate against the certificate authorities present in the specified CA certificates file. Any FTPS connection attempts without a valid certificate will be denied when this option is selected.
Additional Certificate Verification Options
Cerberus can be configured to provide additional post-verification client certificate checking. Specifically, you can require the certificate common name (CN) to match the FTP username. If this option is enabled and the client common name does not match the FTP username then the connection request will be denied.
Creating Digital Certificates for Clients
There are currently several tools available for creating digital certificates. The OpenSSL command line tool provides a configurable option for generating SSL certificates that can be used for client certificate authentication.
We are also working on a new product to help organizations create, manage, and distribute digital certificates. Take a look at Cerberus CA for more details.
FTP Server 5.0
