Built for FileZilla Server
The CertKit Agent discovers FileZilla Server and its certificate paths on its own. No scripting required.
FileZilla Server terminates FTPS with a certificate and key configured in its TLS settings. When the certificate renews, the server keeps serving the old one until someone replaces the files and restarts the service. Every 47 days. On every FileZilla Server you run.
CertKit centralizes certificate issuance and renewal, then writes the renewed certificate to your FileZilla Server via the CertKit Agent and restarts the service so FTPS comes back on the current certificate.
The CertKit Agent discovers FileZilla Server and its certificate paths on its own. No scripting required.
The CertKit Agent finds FileZilla Server in its certificate inventory, including the
certificate and key files its TLS settings point at. On every renewal it writes the
new files and restarts the filezilla-server service, on Windows or
Linux, so every FTPS listener presents the current certificate.
Point CertKit at the discovered config once. CertKit handles every renewal after that.
The manual process, if you want to do it yourself:
filezilla-server so active listeners pick up the new
certificate.
Every one of these steps is manual, and FileZilla Server won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every server. Miss one and a partner's automated transfer fails the TLS handshake at 2am.
At 47 days, automation is the only sustainable way to run FTPS certificates. Here's how CertKit does it.
Your FileZilla server CertKit ACME CA ┌───────────────────┐ ┌──────────────────┐ ┌─────────────┐ │ │ │ │ │ │ │ ┌───────────────┐ │ Issue & Renew │◄──►│ │ │ │ CertKit Agent │◄──┤ Certificates │ │ │ │ └─────────┬─┬───┘ │ ┌───┐ └─────────────┘ │ │ │ │ └───────────┬────│DNS│ │ Cert + key ◄─┘ │ │ │ └───┘ │ [x] Written │ │ │ │ │ │ │ │ FTPS service ◄──┘ │ ◄───────────────┘ │ [x] Restarted │ Verify └───────────────────┘
CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your file server does not run ACME, no open ports beyond FTPS itself, no DNS credentials. The agent writes the files and restarts the service locally.
CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.
Ben Story, Managed Services Director, RedEye Network Solutions
filezilla-server so every FTPS listener comes back
on the renewed certificate.
FileZilla Server can generate a self-signed certificate, and newer versions can even fetch one from Let's Encrypt. Self-signed trains every partner to click through security warnings, which defeats the point of FTPS, and breaks scripted transfers that verify what they connect to. The built-in ACME option needs the server reachable from the internet for validation, which is exactly the exposure most partner-facing file servers are built to avoid.
CertKit issues the certificate via delegated DNS validation handled centrally, so the file server proves nothing to anyone. The agent writes the files and restarts the service as one verified step, with no ACME client on the server and no DNS credentials on a machine whose job is moving sensitive files.
Most environments have more than one place where TLS certificates live: other transfer servers like CrushFTP, web servers like nginx, Apache, and IIS, and self-hosted applications like GitLab. CertKit automates all of it from one account.
Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.