Built for CrushFTP
The pre-built Java KeyStore template and restart script ship in your CertKit account. No scripting required.
CrushFTP loads its TLS certificate from a Java KeyStore when the service starts. When a certificate renews, the keystore on disk is stale and CrushFTP keeps serving the old certificate until someone rebuilds the keystore and restarts the server. Every 47 days. On every CrushFTP server you run.
CertKit centralizes certificate issuance and renewal, then writes the updated Java KeyStore to the path CrushFTP already reads and restarts the service automatically via the CertKit Agent.
The pre-built Java KeyStore template and restart script ship in your CertKit account. No scripting required.
The CertKit Agent writes the renewed certificate, private key, and intermediate chain into a Java KeyStore (.jks) at the path you set, then restarts the CrushFTP Windows service so it loads the new certificate.
You point CrushFTP at that keystore file once in the management UI. After that, CertKit overwrites the same file on every renewal and restarts the service. There is nothing to reconfigure in CrushFTP again.
Your CrushFTP server CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ │ │ │ │ ┌───────────────┐ │ Issue & Renew │◄──►│ │ │ │ CertKit Agent │◄──┤ Certificates │ │ │ │ └─────────┬─┬───┘ │ ┌───┐ └─────────────┘ │ │ │ │ └───────────┬────│DNS│ │ .jks file ◄──┘ │ │ │ └───┘ │ [x] Written │ │ │ │ │ │ │ │ CrushFTP ◄───┘ │ ◄───────────────┘ │ [x] Restarted │ Verify └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your CrushFTP server does not run ACME, no open ports, no DNS credentials. It just runs the agent.
The manual CrushFTP renewal workflow is a keytool sequence: import the renewed certificate and its chain into a Java KeyStore, copy it to the server, then restart CrushFTP so it picks up the new file. That works once. Run it on every CrushFTP server every 47 days and it becomes a source of expired FTPS and HTTPS listeners, discovered when a partner's automated transfer starts failing the TLS handshake.
Running an ACME client directly on a file-transfer server isn't a good answer either. Public CAs require HTTP-01 or DNS-01 validation. Opening port 80 on a server that faces your partners, or putting DNS provider credentials on it, adds exposure to a machine whose whole job is moving sensitive files.
CertKit issues the certificate centrally via delegated DNS validation, then the agent writes the keystore and restarts the service as one verified step, with no ACME client on the server and no keytool to run by hand.
Most environments have more than one place where TLS certificates live: web servers like nginx and IIS, load balancers like F5, and firewalls like Fortinet and Palo Alto. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.