This view displays the certificate in use for your current organization. When enabled by your MOVEit Transfer System Administrator ("sys admin"), and when you are signed in as an organization admin user ("org admin"), you can also upload SSL/TLS server certificates. As part of this workflow, your sys admin user can then review the certificate and put the certificate in an approved state. This enables the certificate to be used by the server.

Provide Signed Certificate to Sys Admin Directly

Providing signed certificates to the sys admin directly helps you as an org administrator, because after you request and then receive your certificate from a third-party signing authority (sign your formal certificate signing request), you can directly provide the signed certificate to your sys admin for approval. The upload triggers a notification to your sys admin.

Important: Plan ahead with you request and renewal of certificate signing. Request certificate renewal well before the certificate expiration date. Otherwise, your application endpoint (org custom URL) will have a time gap where the URL cannot be verified by the third-party certificate authority. (Clients trying to connect during this interval will receive warnings about the validity of your site.)

This feature enables better management and scaling of multi-tenant or multi-homing environments (for example, where org-specific endpoints or "custom URLs" are typical). (For test and internal applications, you can also self-sign your certificate, but self signing is not best practice.)

Note: The certificate must be in PKCS format (.pfx) # 12 with password protection. (Do not include the certificate chain).
Tip: The Certificate Subject (common name) or Subject Alternative Name of type DNS should match the base URL of the org as well as the hostname set for the org site binding in IIS.
Org admins granted this ability can manage their site's TLS/SSL certificate settings (SETTINGS tab <org-or-system> - Security - CURRENT IIS and FTP Certificate). From this view, as an org admin user, you can upload and manage the server certificate associated with HTTPS and FTPS connection requests.
If certificate upload permissions are delegated to your organization, the workflow includes the following:
  • A To upload new certificate... section displays with a Browse button (displayed under the current certificate view).
  • Org admins can now upload certificates for that organization's site. Those certificates move to the pending state.
  • Sys admins receive a notification for each certificate in the pending state. The sys admin can apply the certificate to make it active and current for the site or else reject it (current shown).
  • The new certificate displays in the Current IIS and FTP Certificate view.

Sever Certificate Management Available to Org Admins

Tip: Your MOVEit Transfer sys admin enables the Browse and the associated certificate upload controls and workflow. If no permissions are delegated to the org admin to upload the site certificates, then only the current certificate view will be shown.

State after Upload: Pending

Immediately after upload, the uploaded certificate awaits approval by the sys admin. This is called the "pending" state.

Certificate Requirements/Best Practices

In order to ensure MOVEit Transfer and your system administrator accept and ultimately approve the certificate you submit for your organization, you must follow these criteria.

Certificate Must be .pfx File

The certificate must be in PKCS format (.pfx) #12 with password protection. This is an option you choose when you export it.
Note: Do not include the certificate chain. In other words, do not include all certificates in the certification path when you export the current certificate to .pfx.

Match the Common Name to the URL

Certificate Subject (Common Name) or Subject Alternative Name of type DNS should match the base URL of the org as well as the hostname set for the org's Site Binding in IIS.

Certificate Validity (time to expire) Should Be Greater than Current Certs

Ensure that the date-time to expire (validity) is greater than that of the current (FTP and IIS) certificates for the org.

Topics Related to This Workflow

For selected topics related to this workflow and UI controls, you can refer to: