How to use FTPS (with client/server validation)

The topic How to use FTPS (introduction) describes the FTPS features of SSLFTPClient.  This topic demonstrates the use of FTPS with server validation and client authentication through client certificates.

Client authentication via certificates is unnecessary for many applications, as username/password often provides a sufficient level of authentication.

On the occasions where it is required, the client's certificate and private key must be supplied. Two formats are supported - the PEM format and Java keystore.

Note that for a client certificate to be validated by a server the certificate must either be (1) installed on the server, or (2) have been issued by a CA whose certificate is recognized by the server.

The PEM format certificate and private key must be formatted as below:

 
 -----BEGIN xxx PRIVATE KEY-----
 ... client's private key ...
 -----END xxx PRIVATE KEY-----
 -----BEGIN CERTIFICATE-----
 ... client's certificate ...
 -----END CERTIFICATE-----

where xxx defines the keytype which must be either RSA or DSA.

The loadClientCertificate method is used to load the client's private key and certificate in PEM format from the supplied file.

ftp.loadClientCertificate(clientCertFilename, clientKeyPassphrase);

Alternatively, setClientCertificate can be used to supply a Java Certificate object and PrivateKey. To load a certificate and a private key from a Java keystore, code similar to the following should be used:
KeyStore keyStore = KeyStore.getInstance("JKS");
keyStore.load(new FileInputStream(keyStoreFileName, keyStorePassword.toCharArray());
Certificate certificate = keyStore.getCertificate(alias);
PrivateKey privateKey =
  (PrivateKey)keyStore.getKey(alias, privateKeyPassword.toCharArray());
ftp.setClientCertificate(certificate, privateKey);

The topic Obtaining Keys and Certificates for instructions on producing keys and certificates. A general overview of private/public keys is presented in the topic Public Key Cryptography.