This guide shows you how to install an SSL/TLS certificate on CompleteFTP, the Windows-based file-transfer server from Enterprise Distributed Technologies (EDT). The same certificate is used for FTPS (FTP over TLS) and for the HTTPS web file manager, so one import covers both. The steps below match current CompleteFTP releases and use the recommended PFX/PKCS#12 import path.
Generate the CSR on CompleteFTP
If you already generated your CSR and received the issued certificate files from your Certificate Authority, skip this section and go straight to the installation steps below.
The CSR (Certificate Signing Request) is a block of encoded text containing your contact details and public key. You submit it to the Certificate Authority when you order the certificate. You have two options:
- Generate the CSR automatically with our CSR Generator. The private key is generated outside CompleteFTP, so you will combine the issued certificate and key into a .pfx file before importing.
- Generate the CSR on the server itself by following our tutorial on how to generate a CSR on CompleteFTP. The private key stays inside CompleteFTP, and the CA returns the certificate files you import in the next section.
Submit the CSR to the Certificate Authority during your order and wait for validation. After the CA issues the certificate, continue with the installation below.
Install an SSL certificate on CompleteFTP
Once the CA emails the issued files, download the ZIP archive and extract it on the CompleteFTP server. You will typically have one of two file sets:
- A single .pfx (or .p12) file that bundles the certificate, the matching private key, and the CA chain. This is the simplest path and the one we recommend, especially when the CSR was generated outside CompleteFTP.
- A separate certificate file (typically .crt or .pem) plus the private key you kept from the CSR step. CompleteFTP 12.1 and later accept PEM directly; older builds prefer PFX.
If you only have separate files and need a single bundle, combine them with our SSL Converter, or run:
openssl pkcs12 -export \
-out yourdomain.pfx \
-inkey yourdomain.key \
-in yourdomain.crt \
-certfile ca-bundle.crt
Step 1: Open the Server Certificate setting in CompleteFTP Manager
- Launch CompleteFTP Manager on the server and log in as an administrator.
- In the left-hand Sites panel, select the site whose certificate you are replacing (the default site is fine for a single-site server).
- Under Settings, expand FTP/FTPS > Advanced FTP/FTPS Settings > Security Settings.
- Select Server Certificate (also used in HTTPS), then click the three-dot button on the right to open the certificate dialog.
The label is explicit on purpose: the same certificate is presented for FTPS (control and data channels) and for the HTTPS web file manager, so you only import once.
Step 2: Import the certificate
- In the Server Certificate window, click Import a certificate from a file (second link from the bottom).
- When the Importing Certificate prompt asks whether to overwrite the existing certificate, click Yes. CompleteFTP ships with a self-signed default that you replace at this step.
- Browse to your certificate file:
- PFX/PKCS#12 (recommended): select the .pfx or .p12 file and enter the export password when prompted. The certificate, private key, and CA chain are all loaded in one step.
- Separate files: select the CA-issued .crt or .pem file. If the private key is not embedded, CompleteFTP prompts you for the matching key file and, if encrypted, its password.
- Click OK to finish. The new certificate is applied for both FTPS and HTTPS on the selected site.
Step 3: Confirm the certificate is live
CompleteFTP applies the new certificate to new connections without a service restart. If clients have long-running sessions, force a reconnect, or restart the CompleteFTP Server service from services.msc so every channel picks up the new chain immediately.
Open the web file manager over https:// and check the padlock, or connect with an FTPS client such as FileZilla or WinSCP using Explicit FTP over TLS (FTPES) on port 21. Then run a deeper scan with our SSL Checker against the host and HTTPS port (port 443 by default, or whichever port HTTPS is bound to in your CompleteFTP site settings) to confirm the certificate, chain, and protocol support are correct.
Choosing the FTPS mode (explicit vs implicit)
CompleteFTP supports both FTPS modes on separate listener ports. Prefer explicit FTPS (FTPES) on port 21, which negotiates TLS via the AUTH TLS command. It is the modern standard and the default in most clients. Implicit FTPS on port 990 wraps the connection in TLS from the first byte and is treated as legacy; keep it enabled only for clients that cannot use FTPES. Disable plain FTP entirely once your clients are on FTPS.
Frequently Asked Questions
In CompleteFTP Manager, select your site in the Sites panel, then expand Settings > FTP/FTPS > Advanced FTP/FTPS Settings > Security Settings. Click Server Certificate (also used in HTTPS), then the three-dot button on the right to open the import dialog.
CompleteFTP accepts a single .pfx or .p12 file that bundles the certificate, private key, and chain, which is the simplest path. It also accepts separate PEM or CRT certificate files with a separate private key (PEM is supported from version 12.1 onward). For Microsoft tooling, .pvk private keys are also accepted.
No restart is required for new connections to use the new certificate. If you want every existing session to pick up the new chain immediately, restart the CompleteFTP Server service from services.msc (or the Linux equivalent), or have clients reconnect.
Yes. CompleteFTP intentionally labels the setting Server Certificate (also used in HTTPS). The certificate you import is presented for FTPS (both control and data channels) and for the HTTPS web file manager on the same site, so you import once and both services use the same chain.
Use explicit FTPS (FTPES) on port 21 whenever possible. The client connects in cleartext and upgrades to TLS with the AUTH TLS command; this is the modern standard supported by every current FTPS client. Implicit FTPS on port 990 is considered legacy and should be enabled only for old clients that cannot negotiate explicit TLS.
Renewal is a fresh issuance: generate a new CSR, order the renewal, then repeat the import steps above with the new .pfx file. Public TLS certificates are currently capped at about one year (398 days), so plan to renew annually, or automate the cycle with ACME where supported.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10


