How to export an OES eDir certificate for use by FTP-TLS (aka FTP-SSL, aka FTP-S)

  • 7013457
  • 15-Oct-2013
  • 09-Apr-2018


Novell Open Enterprise Server 11 (OES 11) Linux


This document is specifically targeted to those who which to export a SSL Certificate from eDirectory, for use by OES's "Novell FTP" (which is an enhanced version of pure-ftpd).
Alternatively, if a brand new certificate is desired, (rather than one from eDirectory), the instructions in /usr/share/doc/packages/pure-ftpd/README.TLS can be used instead of the solution below.


1. If the OES FTP server is already using a working PEM file for FTP-TLS, it would be best to rename / save it as a backup:
mv /etc/ssl/private/pure-ftpd.pem /etc/ssl/private/pure-ftpd.pem.sav
2. Export the SSL CertificateIP or SSL CertificateDNS Trusted Root certificate (including the private key) to a .pfx file and copy it to the SLES OES box, with these steps.  (These steps were created using Internet Explorer 9, other browsers may vary slightly.):

a. In iManager --> Directory Administration --> Modify Object.

b. Browse to (and select) "SSL CertificateIP - SERVERNAME" (or "SSL CertificateDNS - SERVERNAME"), where "SERVERNAME" is the name of the OES server where Novell OES FTP will be running. The Certificate object will be located in the same container as the OES Server object. After it is selected, click "Ok" to proceed.

c. Click on the "Certificates" tab and make sure "Trusted Root Certificate" is the selected sub-tab. (With some browsers, this might be a drop down menu instead.)

d. Check the box next to the Trusted Root Certificate. Then click Export.

e. Select the certificate from the drop-down menu. Also, make sure "export private key" is checked.

f. Enter (and re-enter, to verify) a password (this password will be used / removed in step #3.)

g. Click the NEXT button.

h. Click the link to "Save the exported certificate".

i. After it downloads the PFX file, select the "close" button in iManager, which will return you to the Trusted Root tab.

j.  The cert will likely be called "cert.pfx" in the download location.  Copy this PFX file to the OES box where Novell FTP will be running, into the path /etc/ssl/private/cert.pfx. (Create the path if necessary.)

k. Permissions mode should be set restrictively on this path and file:
chmod 700 /etc/ssl/private
chmod 600 /etc/ssl/private/cert.pfx
3. Execute the following command to extract the necessary contents from the pfx into a pem file:
openssl pkcs12 -in /etc/ssl/private/cert.pfx -clcerts -nodes -out /etc/ssl/private/pure-ftpd.pem
Enter the password used in step 2f when prompted.

Set restrictive permissions on the new file:
chmod 600 /etc/ssl/private/pure-ftpd.pem
4.  The FTP server can be told to allow secure connection with the "TLS 1" setting in /etc/pure-ftpd/pure-ftpd.conf.  See comments in that file for more details.
5.  Restart pure-ftpd with:  rcpure-ftpd restart