# Encryption and Certificates

By default a self-signed certificate is used. You may upload your own signed certificates or automatically provision them through Let's Encrypt. This configuration applies to both FTPS and HTTPS.


The default certificate is always created when the application starts, even if its not being used.

# Using Custom Certificates

  1. Upload the certificate files to any desired location on the server. For example, on Linux, you may want to place them in the /etc/filemage/ directory path, on Windows you can use C:\ProgramData\FileMage\Gateway\certs\.

  2. Add, or modify if already present, the tls_certificate and tls_certificate_key settings in the application configuration file to point to the certificate and private key files you uploaded:

tls_certificate: /etc/filemage/mydomain.cert
tls_certificate_key: /etc/filemage/mydomain.key

Save the changes and restart the application, your certificate is now active and used by the server.


Certificates and keys must be in PEM format. This format is often referred to as "Apache" or "Nginx" format when downloading files from certificate vendors.

# Let's Encrypt Automatic Certificates

FileMage Gateway can be configured to automatically request and renew TLS certificates from Let's Encrypt using the ACME protocol, using the HTTP-01 or TLS-ALPN-01 challenge types.

In order for this to work you must:

  • Create a DNS entry under a custom domain that you own which resolves to your FileMage Gateway virtual machine public IP address.
  • Make port 80 or 443 publicly reachable to your FileMage Gateway virtual machine.


You may not exceeded the maximum number of certificates and certificate requests allowed by Let's Encrypt. (See Rate Limits)


Your virtual machine must remain publicly accessible on either port 80 or port 443 for certificates to be automatically renewed.

# Enabling Automatic Certificates

  1. Create a public DNS record that resolves to the servers public IP address.

  2. Add the following settings in the application configuration file:

acme_use_auto_tls: true
  - sftp.mydomain.com
acme_contact_email: admin@mydomain.com

Let's Encrypt is now enabled and signed certificates will automatically be issued and renewed for free.

# Converting PFX Certificates

PFX certificates must be converted to PEM format to be used by the application.


When exporting your PFX certificate, make sure to include all intermediary certificates.

  1. Extract the private key and decrypt it.
openssl pkcs12 -in mydomain.pfx -nocerts -out mydomain-encrypted.key
openssl rsa -in mydomain-encrypted.key -out mydomain.key
  1. Extract the server and intermediary certificates.
openssl pkcs12 -in mydomain.pfx -clcerts -nokeys -out mydomain.cert
  1. Update your configration file by following the instructions in Using Custom Certificates