3

I've been asked by a third party to setup an FTPS site for them to connect to.

I am doing this on IIS 10.

It is required that the third-party client uses a client certificate which is tied to the FTP user.

I have tested this and got everything to work perfectly using a self-signed client certificate.

However, it is also required that the client certificate is signed by a trusted CA.

I am familiar with generating server certificates using win-acme - but I'm not sure it's possible to generate a client certificate [not tied to a domain] using win-acme.

I have tried generating client certificates using win-acme, however, since the certificate is to be tied to a username rather than a domain name, I can see no way of verifying the certificate.

How do I go about obtaining a trusted client certificate which can be tied to an FTP user and used by the third party to connect to the FTP site?

Many thanks in advance for any help.

readyStateFail
  • 33

1 Answers1

4

"Trusted" in the usual sense (i.e. worldwide) is not useful here.

As far as "web" CAs go, it is only useful for email (S/MIME) certificates, which interact with all kinds of random entities (and which are based on a worldwide identity to begin with) so having a pre-existing set of trusted CAs is useful there – but they have different scopes and requirements from TLS client certificates. It makes no sense to have the same requirement for a TLS client certificate, because:

  1. Client software has no reason to care about trust of its own client certificate; it's only ever verified by the server.

    As an extension of this point, the set of systems that handle the certificate is known and limited, so there's little gain in having the certificate be issued by a pre-installed CA – it's easy enough to deploy the CA to the one (1) system that needs it.

  2. The certificate will represent a type of identity – a Windows domain user – that is meaningless outside of that domain, and cannot be validated by an external CA.

    And if a CA has no way to certify the identity, then it cannot issue a certificate for that. It doesn't matter if it's done via ACME or not, an external CA is just not in position to issue certificates with your internal AD usernames.

So instead, you should become the certifier – i.e. you should create an internal CA (e.g. using Active Directory Certificate Services) and make the IIS server "trust" that CA, either manually or via GPO.

Using AD CS is the easy option because it already comes with the correct templates that AD software will like; certificate issuance is already bound to Windows accounts; etc. But I'm pretty sure it is possible to map any random certificate to any Active Directory account, so if you want, you could go with XCA or Smallstep or Easy-RSA.

(Before you ask, no, there's absolutely nothing wrong with using different CAs for client and server certificates – it's not going to break TLS.)

grawity
  • 501,077