Why can't I use an IIS-generated certificate for loading access logs over SSL(FTPS)?

FAQ ID:    FAQ2030
Version:    2.0
Status:    Published
Published date:    03/27/2012
Updated:    09/25/2013


You cannot use an IIS-generated self-signed certificate to load access logs over SSL because the certificate that IIS creates is not complete.  As a security device, the ProxySG appliance will not accept an incomplete certificate.
Workaround: Create a self-signed certificate using OpenSSL and import it into IIS. Here are the steps:
  1. Generate the private key on the Linux/Unix/Cygwin host: > openssl genrsa -des3 -out ftpvm.key 1024.
  2. Generate a CSR: > openssl req -new -key ftpvm.key -out ftpvm.csr
  3. Remove Passphrase from Key. One side-effect of the pass-phrased private key is that ftpvm will ask for the pass-phrase each time the FTP server is started.: > openssl rsa -in ftpvm.key.org-out ftpvm.key
  4. Generating a Self-Signed Certificate: > openssl x509 -req -days 365 -in ftpvm.csr -signkey ftpvm.key -out ftpvm.crt
  5. With the above key material create a .pfx file using converter at: https://www.sslshopper.com/ssl-converter.html
  6.  Import the certificate into IIS 7.5: >IIS manager > Machine name > IIS > Server Certificates > import
  7. For the FTP site, set the FTP SSL Settings to use this imported cert.
General observations:
  • The cert CN name MUST match the primary FTP server name in the access log client configuration.
  • This same certificate, as created above, must be imported into CA certificate list,  and put into browser trusted in the ProxySG.
For more information see:


Rate this Page

Please take a moment to complete this form to help us better serve you.

Did this document help answer your question?
If you are finished providing feedback, please click the RATE CONTENT button. Otherwise, please add more detail in the following text box and then click RATE CONTENT.

Your response will be used to improve our document content.

Ask a Question