Client SSL Certificate Authentication

Cerberus FTP Server can be configured to require clients to verify themselves using digital certificates for SSL/TLS connections. When given a Certificate Authority (CA) certificate list, Cerberus will verify that the client certificate is signed and valid for the given Certificate Authorities. If the administrator also specifies a CRL file, Cerberus will check the CRL file to make sure that the client certificate hasn’t been revoked. This feature is only available in Cerberus FTP Server Professional and Enterprise editions, and only applies to FTPS, FTPES, and HTTPS connections.

How Client Certificate Verification Works

If Cerberus is configured to require a certificate from connecting SSL/TLS clients, then Cerberus will require a client certificate, and verify that the certificate presented by the client is valid and signed by a trusted CA. Cerberus will compare the client certificate against the certificate authorities present in the specified CA certificates file. Any FTPS or HTTPS connection attempts without a valid certificate will be denied when this option is selected.

Additional Certificate Verification Options

Cerberus can be configured to provide additional post-verification client certificate checking. Specifically, you can require the certificate common name (CN) to match the user’s username. If this option is enabled, and the client common name does not match the user’s username, then the connection request will be denied.

Creating Digital Certificates for Clients

There are currently several tools available for creating digital certificates. The OpenSSL command line tool provides a configurable option for generating SSL certificates that can be used for client certificate authentication.

Back to Product Overview