← Integrations

Automated SSL certificate renewal for CrushFTP

CrushFTP won't update a renewed certificate on its own. CertKit will.

CrushFTP loads its TLS certificate from a Java KeyStore when the service starts. When a certificate renews, the keystore on disk is stale and CrushFTP keeps serving the old certificate until someone rebuilds the keystore and restarts the server. Every 47 days. On every CrushFTP server you run.

CertKit centralizes certificate issuance and renewal, then writes the updated Java KeyStore to the path CrushFTP already reads and restarts the service automatically via the CertKit Agent.

Start free trial Watch demo

Built for CrushFTP

The pre-built Java KeyStore template and restart script ship in your CertKit account. No scripting required.

The CertKit Agent writes the renewed certificate, private key, and intermediate chain into a Java KeyStore (.jks) at the path you set, then restarts the CrushFTP Windows service so it loads the new certificate.

You point CrushFTP at that keystore file once in the management UI. After that, CertKit overwrites the same file on every renewal and restarts the service. There is nothing to reconfigure in CrushFTP again.

How it works

 Your CrushFTP server     CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│                   │     │                  │    │             │
│     ┌───────────────┐   │  Issue & Renew   │◄──►│             │
│     │ CertKit Agent │◄──┤   Certificates   │    │             │
│     └─────────┬─┬───┘   │                ┌───┐  └─────────────┘
│               │ │ │     └───────────┬────│DNS│
│ .jks file  ◄──┘ │ │                 │    └───┘
│ [x] Written     │ │                 │
│                 │ │                 │
│ CrushFTP    ◄───┘ │ ◄───────────────┘
│ [x] Restarted     │       Verify
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your CrushFTP server does not run ACME, no open ports, no DNS credentials. It just runs the agent.

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Install the CertKit Agent. One command on your CrushFTP server. The agent runs as a Windows service and needs no inbound firewall rules.
  3. Add the CrushFTP deployment script. Pick the Java KeyStore template, set the keystore path, password, alias, and your CrushFTP service name. CertKit runs it on every renewal.
  4. Point CrushFTP at the keystore once. In the CrushFTP admin UI, set the SSL keystore to the file CertKit writes. This is the only change you make inside CrushFTP, and you only make it once.

See the full architecture →

Why not rebuild the keystore by hand?

The manual CrushFTP renewal workflow is a keytool sequence: import the renewed certificate and its chain into a Java KeyStore, copy it to the server, then restart CrushFTP so it picks up the new file. That works once. Run it on every CrushFTP server every 47 days and it becomes a source of expired FTPS and HTTPS listeners, discovered when a partner's automated transfer starts failing the TLS handshake.

Running an ACME client directly on a file-transfer server isn't a good answer either. Public CAs require HTTP-01 or DNS-01 validation. Opening port 80 on a server that faces your partners, or putting DNS provider credentials on it, adds exposure to a machine whose whole job is moving sensitive files.

CertKit issues the certificate centrally via delegated DNS validation, then the agent writes the keystore and restarts the service as one verified step, with no ACME client on the server and no keytool to run by hand.

CrushFTP is just one server that needs a certificate

Most environments have more than one place where TLS certificates live: web servers like nginx and IIS, load balancers like F5, and firewalls like Fortinet and Palo Alto. CertKit automates all of it from one account.

See all integrations

Start automating CrushFTP certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing