bg-tutorials

How to Install an SSL Certificate on FileZilla Server

In this tutorial, you will learn how to install an SSL certificate on FileZilla Server to enable FTP over TLS (FTPS), so logins and file transfers are encrypted. The steps cover the modern FileZilla Server 1.x administration interface, with notes for the legacy 0.9.x version.

Generate a CSR code on FileZilla Server

Your first step when dealing with SSL certificates is to create a Certificate Signing Request (CSR) and send it to the Certificate Authority (CA). The CSR contains your contact data encoded in a block of text. After you submit it, the CA verifies your website or company identity and signs your SSL certificate.

You have two options:

Next, open the CSR file with any text editor, such as Notepad, and copy its full content, including the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– tags. Paste it during your SSL certificate order.

After you submit the CSR and complete the validation process, your SSL files arrive in your email inbox. You will use them during the installation below.

Install an SSL certificate on FileZilla Server

FileZilla Server changed significantly with version 1.0. The modern releases (1.x) use a redesigned administration interface where you connect to the server engine and configure it through Server then Configure. The legacy 0.9.x line used a different dialog reached through Edit then Settings. The steps below cover the current 1.x interface first, with a note for 0.9.x at the end.

Step 1: Prepare your files

Here is what you need for the installation:

  • Your server certificate in PEM format. It is in the ZIP archive you received from your CA after validation.
  • The intermediate certificate(s), also called the CA bundle, included in the same archive.
  • Your private key (the .key file). This stays on your server, since you created it together with the CSR.

FileZilla Server expects a single certificate file that contains the full chain. Combine your server certificate and the intermediate certificate(s) into one PEM file, with the server certificate first, followed by the intermediates. You do not need to include the root CA. A combined file looks like this:

-----BEGIN CERTIFICATE-----
(your server certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate certificate)
-----END CERTIFICATE-----

Save the combined file somewhere stable on the server, for example next to your private key. Note the full paths to both files, because FileZilla Server needs absolute paths. If you enter only a file name, the engine may silently store a bare name and later log Could not load certificate file errors when a client connects over FTPS.

Step 2: Open the FTP over TLS settings

Launch the FileZilla Server administration interface and connect to your server. Then open the configuration:

  • From the top menu, select Server, then Configure (you can also press Ctrl+F).
  • In the left pane of the configuration dialog, select FTP over TLS settings.

Step 3: Enable FTPS and load your certificate

In the FTP over TLS settings panel:

  • Tick Enable FTP over TLS support (FTPS).
  • Enter the certificate and key by typing or browsing to their paths in the fields below. (Some builds also offer an import button to load an existing certificate and key at once. The Generate new certificate button is separate: it creates a self-signed certificate, which browsers and clients do not trust, so use it only for testing, not for a CA-issued certificate.)
  • In the Private key file field, enter or browse to the full absolute path of your .key file.
  • In the Certificate file field, enter or browse to the full absolute path of the PEM file that holds your server certificate followed by the intermediate(s).
  • If your private key is protected by a password, enter it in the Key password field. If you generated the CSR and key with OpenSSL and did not set a passphrase, leave this field blank.

While you are here, it is a good idea to harden the listener: tick Disallow plain unencrypted FTP so every connection is encrypted. Modern FileZilla Server negotiates TLS 1.2 and TLS 1.3 by default.

Step 4: Apply the changes

Click Apply to save the configuration, then close the dialog with OK. FileZilla Server reloads the certificate without a full reinstall. If the engine reports an error, recheck that both paths are absolute and that the certificate file lists the server certificate before the intermediates.

Congratulations, you have installed an SSL certificate on FileZilla Server.

Using legacy FileZilla Server 0.9.x? Open the local server interface, go to Edit, then Settings, and select SSL/TLS settings (labeled FTP over TLS settings in some builds). Check Enable FTP over SSL/TLS support, point Private key file and Certificate file at your .key and combined PEM, set the Key password if any, and click OK. The 0.9.x line is no longer maintained, so upgrading to 1.x is recommended.

Test your SSL installation

After installing the certificate, check the configuration for errors before relying on it. The quickest test is to connect with a client: in FileZilla Client, set the protocol to FTP with encryption Require explicit FTP over TLS, connect, and confirm the certificate details match your domain and CA.

You can also verify the certificate served on your FTPS control port from the command line. Replace the host and port with your own (explicit FTPS usually listens on port 21):

openssl s_client -connect ftp.yourdomain.com:21 -starttls ftp

OpenSSL prints the certificate chain and validity dates, so you can confirm the right certificate is loaded and the intermediates are present. For a broader check of your certificate, use our SSL Checker, which gives an instant scan and report.

Frequently Asked Questions

Where do I install the certificate in FileZilla Server 1.x?

Open the administration interface, go to Server then Configure, and select FTP over TLS settings in the left pane. Tick Enable FTP over TLS support (FTPS), then set the Private key file and Certificate file paths and click Apply.

What is the difference between FileZilla Server 1.x and 0.9.x for SSL?

Version 1.0 introduced a fully rewritten administration interface. In 1.x you open the configuration through Server then Configure, while the legacy 0.9.x line used Edit then Settings. The certificate fields are the same in concept (private key file plus certificate file), but the menus and dialog differ. The 0.9.x branch is no longer maintained.

Do I need to combine the certificate and CA bundle for FileZilla Server?

Yes. FileZilla Server reads one certificate file, so concatenate your server certificate and the intermediate certificate(s) into a single PEM file, with the server certificate first and the intermediates after it. Do not add the root CA. Point the Certificate file field at this combined PEM.

Why does FileZilla Server report “Could not load certificate file”?

This usually means the path is not absolute. If you enter only a file name, the engine may store the bare name and fail to find the file later. Re-open FTP over TLS settings and enter the full absolute path for both the Private key file and the Certificate file.

Should I leave the key password blank?

Leave the Key password field blank if your private key has no passphrase, which is the case for a key generated with OpenSSL without one. If you protected the key with a password when you created it, enter that password so FileZilla Server can read the key.

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

A detailed image of a dragon in flight
Written by

I've been writing for SSL Dragon for over 10 years, focusing entirely on SSL certificates and digital security. My job is to take complex cybersecurity topics and strip away the jargon, making sure you get the clear, practical information you need to keep your website safe.