# Encryption and Certificates

By default a self-signed certificate is used. You may upload your own signed certificates or automatically provision them through Let's Encrypt. This configuration applies to both FTPS and HTTPS.

# Using Custom Certificates

  1. Upload the certificate files to the server.

  2. Add, or modify if already present, the following settings in the application configuration file:

tls_certificate: /etc/filemage/cert.pem
tls_certificate_key: /etc/filemage/key.pem

Your certificate is now active and used by the server.

# Let's Encrypt Automatic Certificates

FileMage Gateway can be configured to automatically request and renew TLS certificates from Let's Encrypt using the ACME protocol, using the http-01 challange type.

In order for this to work you must:

  • Create a DNS entry under a custom domain (Azure domains will not work) which resolves to your FileMage Gateway virtual machine public IP address.
  • Make port 80 and 443 publicly reachable to your FileMage Gateway virtual machine.

Note

You may not exceeded the maximum number of certificates and certificate requests allowed by Let's Encrypt. (See Rate Limits)

# Enabling Automatic Certificates

  1. Create a public DNS record that resolves to the servers public IP address.

  2. Add, or modify if already present, the following settings in the application configuration file:

acme_use_auto_tls: true
acme_hostname: <PUBLIC_DNS_NAME>

Let's Encrypt is now enabled and signed certificates will automatically be issued and renewed for free.

# Converting PFX Certificates

PFX certificates must be converted to PEM format to be used by the application.

Note

When exporting your PFX certificate, make sure to include all intermediary certificates.

  1. Extract the private key and decrypt it.
openssl pkcs12 -in certificate.pfx -nocerts -out key-encrypted.pem
openssl rsa -in key-encrypted.pem -out key.pem
  1. Extract the server and intermediary certificates.
openssl pkcs12 -in certificate.pfx -nokeys -out cert.pem

# Uploading Files to a Linux Host

On Windows, you may install PuTTY, which includes PSCP (SCP for Windows).

pscp -scp cert.pem ubuntu@198.51.100.0:/etc/filemage/
pscp -scp key.pem ubuntu@198.51.100.0:/etc/filemage/

On Linux, you may use the included scp command.

scp cert.pem ubuntu@198.51.100.0:/etc/filemage/
scp key.pem ubuntu@198.51.100.0:/etc/filemage/