How to generate self-signed X.509 certificates (CLI)
Self-signed X.509 certificates can be used for FTPS and for the Web Administration's HTTPS endpoint.
This page shows three ways to generate one: the bundled burusftp certgen utility, Windows PowerShell, and OpenSSL.
Generate a certificate
All three methods produce a password-protected .pfx file containing the certificate and its private key.
Replace the subject (CN=), password, and output filename with real values.
Using burusftp certgen
burusftp certgen writes two files next to filename: filename.pfx (certificate with private key) and filename.crt (certificate only).
Running it without options produces an RSA 4096-bit certificate with SHA-256, a CN=localhost subject, and one year of validity.
# Default: RSA 4096-bit, SHA-256, CN=localhost, 12 months
burusftp certgen certfile
# ECDSA P-384, SHA-384, CN=my-domain.com with SANs, 10 years
burusftp certgen -t ecdsa -b 384 -h sha-384 -s "CN=my-domain.com" -m 120 -a "my-domain.com, www.my-domain.com" certfileFor the full list of options, see the burusftp certgen reference.
Using PowerShell
# Create the certificate in the current user's Windows certificate store.
# Use 'Cert:\LocalMachine\My' instead for the machine-wide store (requires an elevated session).
$cert = New-SelfSignedCertificate -Subject 'CN=yourdomain.com' -KeyLength 4096 -CertStoreLocation 'Cert:\CurrentUser\My'
# Export the certificate and its private key to a password-protected .pfx file.
$password = 'yourpassword' | ConvertTo-SecureString -AsPlainText -Force
Export-PfxCertificate -Cert $cert -FilePath certfile.pfx -Password $passwordUsing OpenSSL
If openssl is available on the machine, the following two commands generate an RSA 4096-bit certificate valid for 400 days and package it as a .pfx:
openssl req -x509 -newkey rsa:4096 -sha256 -keyout certfile.key -out certfile.crt -subj "/CN=yourdomain.com" -days 400
openssl pkcs12 -export -name "certfile" -out certfile.pfx -inkey certfile.key -in certfile.crt