Handling SSL Certificates (When Running a Script while not Logged In)

Setting up the TE to connect to an FTP server over SSL (via scripting) involves several steps. Follow the instructions below carefully.

You must know whether the TE will require the use of server certificates only or both server and client certificates.

Server Certificates

Most FTP SSL servers will provide a certificate to the client during authentication. The certificate proves the server's legitimacy to the client. The server's certificate must be added the client's Trusted Certificate store prior to any connection, otherwise the TE will lock up when trying to authenticate.

To add the SSL certificate to the client's Trusted Certificate store

  1. Export or obtain a copy of the server's certificate from the FTP server administrator. Otherwise connect to the server with the CuteFTP GUI (interface) from the developer computer and manually accept the server's certificate. You can then export it from the Trusted List under Global Options > Security > SSL Security to a staging directory of your choice.

  2. Place/Install the certificate into the target computer's Default User directory. For example:

C:\Documents and Settings\Default User\Application Data\GlobalSCAPE\CuteFTP Pro\Security

  1. If you will also be running the TE while logged in, place a copy of the server certificate under the USER folder on the target computer, as follows:

C:\Documents and Settings\[USERNAME]\Application Data\GlobalSCAPE\CuteFTP Pro\Security

- where [USERNAME] is the login name for the user.

  1. Configure the TE to auto-accept SSL or SSH certificates using the AutoCloseMethod parameter of the Option method. Also refer to the following trouble shooting topic regarding running the TE while not logged in.

Now when you connect, the TE sees the server's certificate and proceed with the connection.

Client Certificates

Some FTP SSL servers require that the client provide a certificate. The certificate proves the veracity of the client and is an important factor in weeding out spurious FTP clients masquerading as legitimate ones.

To setup the target system to use client certificates

  1. On the developer computer, create the client certificate and private key pair using the CuteFTP GUI (interface). The certificate creation utility is located under the Tools > Global Settings > Security > SSL dialog.

  2. Add the client certificate to the server's trusted list. Do this by connecting to the server with the CuteFTP GUI (interface) from the developer computer. On the server, move the certificate from the Pending to the Trusted list. If your server only has a Trusted list, manually import the client certificate into the Trusted list.

  3. Place the client certificate and private key into the target computer's USER folder:

C:\Documents and Settings\[USERNAME]\Application Data\GlobalSCAPE\CuteFTP Pro\Security

- where [USERNAME] is the login name for the user.

  1. If you created the certificate set on the developer computer, export the following registry key:

HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP Professional\Settings\SecuritySSL

  1. Import the registry key from step 4 onto the target computer, or manually create the necessary entries. The entries are shown in standard .reg file notation.

REGEDIT4

[HKEY_CURRENT_USER\Software\GlobalSCAPE\CuteFTP Pro\Settings\SecuritySSL]

"SSLCertificate"="C:\\Documents and Settings\\[USERNAME]\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\Security\\client.crt"

"SSLPrivateKey"="C:\\Documents and Settings\\[USERNAME]\\Application Data\\GlobalSCAPE\\CuteFTP Pro\\Security\\client.key"

"UseSSLCertificate"=dword:00000001

"UseSSLCertPassphrase"=dword:00000001

"ReuseSSLData"=dword:00000000

"WarnWhenToNonSecure"=dword:00000001

"DataTransportMethod"=dword:00000001

"SSLCertPassphrase"="[PASSWORD]"

- where [USERNAME] is the login name for the target system and where [PASSWORD] is the encrypted password exported from the source computer. Do not modify the password!

At the next connection, the TE finds the client certificate and uses it to authenticate with the server.

Example

Below is a sample script that connects to a fictitious site running SSL Implicit over port 990. It also writes to the event log for debugging purposes. if you use this script to test your setup, make sure you modify the MySite.Host line to include your actual FTP SSL server host and login information.

#file test.vbs

Const EVENT_SUCCESS = 0

Set objShell = Wscript.CreateObject("Wscript.Shell")

objShell.LogEvent EVENT_SUCCESS,"AT Loaded me"

Set MySite= CreateObject("CuteFTPPro.TEConnection")

MySite.Option ("ThrowError") = True

MySite.Host = "ftp://myuser:mypass@ftp.mysslserver.com:990

objShell.LogEvent EVENT_SUCCESS,"vars set"

MySite.Connect

objShell.LogEvent EVENT_SUCCESS, "connected"

MySite.Disconnect

MySite.Close