Start Trial

SSH Host Keys decoupled from TLS Certificate

by | Jan 18, 2022 | FTP Server Administration, FTP Server Security

Summary

In previous versions of Cerberus FTP Server, SSH and SSL/TLS keys were managed jointly. This meant that expiration of SSL/TLS certificates would require renewal of SSH keys. In effort to improve usability and security, we are separating the management of SSH keys and SSL/TLS keys.

Background

Following Cerberus’ strict security measures, an extra precaution was implemented, coupling expiration of SSH keys with SSL/TLS.

While that meant that SSH keys would be renewed periodically – at the same time as  SSL/TLS keys – it also made it difficult to support SSH clients while maintaining up-to-date SSL/TLS certificates since changes to SSL/TLS keys would trigger warnings in SSH clients, alerting the user that the server fingerprint changed. This created an administrative burden on customers who relied heavily on SFTP communication. 

Improvements

Starting on Release 12.4, we added a degree of flexibility by decoupling SSH keys from SSL/TLS keys.

By enabling separate management of each key pair, we maintain previous security measures while keeping the functionality of each approach independent. 

Implementation

The change is automatic and requires no administrator involvement. On startup, Cerberus FTP Server 12.4.0 extracts and sets aside a copy of the current SSL/TLS keys. All future SSH communication will use these keys to identify the server to the client. Future changes to the SSL/TLS certificate and private key will have no impact on SSH keys. In other words, SSH clients will continue functioning normally after you update SSL/TLS certificates.

Added fields displaying the path to the SSH key files are under:

  • Server Manager / Security / SSH Host Key Pair

    New SSH Host Key Pair User Interface

    SSH Key Pair

These files continue to be PEM-encoded X509 certificate and private key files. If the SSL/TLS private key was password protected, then the SSH copy will have the same password protection.

Release Notes and Feedback

Changes are only relevant to the Professional and Enterprise editions of Cerberus FTP Server.

Currently, the key paths are read-only, additional SSH key-related functionality may be added in the future.

Please use our “Feature request” page to share what additional SSH key-related functionality you’d like to see.

Related posts:

  1. Moving to OpenSSL 3 in Cerberus FTP Server 12.11
  2. Cerberus FTP Server 12.9 Introduces New Uploading and Editing Features for User SSH Public Keys
  3. SFTP – Your Complete Guide Part 2 – Protocol Connection and Authentication Process
  4. SFTP vs. FTPS. Understanding the Difference.