← Integrations

Automated TLS certificate renewal for FileZilla Server

FileZilla Server won't pick up a renewed FTPS certificate on its own. CertKit will.

FileZilla Server terminates FTPS with a certificate and key configured in its TLS settings. When the certificate renews, the server keeps serving the old one until someone replaces the files and restarts the service. Every 47 days. On every FileZilla Server you run.

CertKit centralizes certificate issuance and renewal, then writes the renewed certificate to your FileZilla Server via the CertKit Agent and restarts the service so FTPS comes back on the current certificate.

Start free trial Watch demo

Built for FileZilla Server

The CertKit Agent discovers FileZilla Server and its certificate paths on its own. No scripting required.

The CertKit Agent finds FileZilla Server in its certificate inventory, including the certificate and key files its TLS settings point at. On every renewal it writes the new files and restarts the filezilla-server service, on Windows or Linux, so every FTPS listener presents the current certificate.

Point CertKit at the discovered config once. CertKit handles every renewal after that.

How to install an SSL certificate on FileZilla Server

The manual process, if you want to do it yourself:

  1. Get a certificate for the hostname clients connect to. Skip the "generate new certificate" button. That makes a self-signed certificate every client warns about, and scripted transfers that verify certificates refuse it outright.
  2. Convert to PEM if needed. FileZilla Server wants the certificate (with its chain) and the private key as PEM files.
  3. Point the TLS settings at the files. In the Administration interface, open the server's FTP and FTPS settings and set the certificate and key paths, or overwrite the files already configured.
  4. Restart the service. Restart filezilla-server so active listeners pick up the new certificate.
  5. Verify with a real FTPS client. Connect with explicit TLS and confirm the certificate presented is the new one, then repeat on every server.

Every one of these steps is manual, and FileZilla Server won't repeat any of them for you when the certificate renews. With lifetimes shrinking to 47 days, installation stops being an annual chore and becomes a recurring task: eight times a year, on every server. Miss one and a partner's automated transfer fails the TLS handshake at 2am.

At 47 days, automation is the only sustainable way to run FTPS certificates. Here's how CertKit does it.

How it works

 Your FileZilla server     CertKit                 ACME CA
┌───────────────────┐     ┌──────────────────┐    ┌─────────────┐
│                   │     │                  │    │             │
│     ┌───────────────┐   │  Issue & Renew   │◄──►│             │
│     │ CertKit Agent │◄──┤   Certificates   │    │             │
│     └─────────┬─┬───┘   │                ┌───┐  └─────────────┘
│               │ │ │     └───────────┬────│DNS│
│ Cert + key  ◄─┘ │ │                 │    └───┘
│ [x] Written     │ │                 │
│                 │ │                 │
│ FTPS service ◄──┘ │ ◄───────────────┘
│ [x] Restarted     │       Verify
└───────────────────┘

CertKit manages issuance and renewal centrally using delegated DNS validation. You create a one-time CNAME record and CertKit handles every ACME challenge after that. Your file server does not run ACME, no open ports beyond FTPS itself, no DNS credentials. The agent writes the files and restarts the service locally.

CertKit makes what many companies struggle with much easier to manage while at the same time providing great value compared to the traditional vendors in the space.

Ben Story, Managed Services Director, RedEye Network Solutions

What CertKit handles

Setup takes about ten minutes

  1. Connect your domain. Add a one-time CNAME record to delegate DNS validation to CertKit. Every renewal challenge after that is automatic.
  2. Install the CertKit Agent on the file server. One command on the Windows or Linux host running FileZilla Server. The agent runs as a background service and needs no inbound firewall rules.
  3. Attach the discovered FileZilla config. The agent's inventory shows the server and its certificate paths. Attach the renewed certificate to it and CertKit writes the files and restarts the service on every renewal.

See the full architecture →

Why not the built-in certificate options?

FileZilla Server can generate a self-signed certificate, and newer versions can even fetch one from Let's Encrypt. Self-signed trains every partner to click through security warnings, which defeats the point of FTPS, and breaks scripted transfers that verify what they connect to. The built-in ACME option needs the server reachable from the internet for validation, which is exactly the exposure most partner-facing file servers are built to avoid.

CertKit issues the certificate via delegated DNS validation handled centrally, so the file server proves nothing to anyone. The agent writes the files and restarts the service as one verified step, with no ACME client on the server and no DNS credentials on a machine whose job is moving sensitive files.

FileZilla Server is just one server that needs a certificate

Most environments have more than one place where TLS certificates live: other transfer servers like CrushFTP, web servers like nginx, Apache, and IIS, and self-hosted applications like GitLab. CertKit automates all of it from one account.

See all integrations

Start automating FileZilla Server certificates today

Free 90-day trial. No credit card required. Direct access to our engineering team to get you set up.

Start free trial See pricing