[Last updated: January 2021] People who use SSL/TLS to secure their online transactions/file transfers are mostly only familiar with two of its security functions: 1. That it can encrypt data in transit and 2. That it can enable clients to authenticate the server. They're likely not making use of another feature that can greatly enhance SSL security even more - client certificate authentication.
We already talked about client certificate authentication and its benefits on a previous post, so if you want to learn more about it, I suggest you click that link. In that post, we never got to talk about how to enable client certificate authentication on the server side. This quick post will be all about that.
We'd like to cover both HTTPS and FTPS client authentication activation in a single article. We can easily do that because we'll be using a file transfer server that supports both protocols. The UI you'll be seeing on this tutorial will be that of JSCAPE MFT Server, a managed file transfer server that supports HTTPS, FTPS, SFTP, AS2, FTP, OFTP, WebDAV, and others.
Enabling SSL client authentication on JSCAPE MFT Server is easy. Here's how.
Enabling SSL client authentication for HTTPS
Launch the JSCAPE MFT Server Manager and go Settings.
Once inside, navigate to Web > Web tab and then tick the HTTPS client certificate required check box. Make sure the HTTPS on host check box is also ticked, as this feature is only available if secure HTTP is enabled. After that, click the Apply button at the lower-right corner (not shown in the screenshot).
That's it. You would have then enabled SSL client authentication on this server. Of course, you still would have to create client certificates and import those certificates into your users' Web browsers before your users can start logging in via client authentication.
Recommended read: TLS vs SSL - Know The Difference
Enabling SSL client authentication for FTPS
Let me now show you how to enable digital client authentication on this server's FTP-SSL service.
Edit the domain where you want to make the changes and then navigate to the Services menu. Next, click on the FTP/S tab. Somewhere near the bottom, you should see the check box that says require client certificate for authentication. Select that to activate client authentication. Again, make sure you save those changes.
Just like in secure HTTP, you still would need to create client certificates and import those certificates to your end users' clients so that they can connect with this FTPS server. Not all file transfer clients support client certificate authentication, so you need to check that first. One client that does support this feature is AnyClient. AnyClient also supports SFTP keys, OpenPGP, and several file transfer protocols. Best of all, it's free.
Try SSL/TLS client authentication
JSCAPE MFT Server comes with a free, fully-functional Starter Edition. If you want to give client authentication a test run, download a copy of JSCAPE MFT Server by clicking the download button below.