Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), are cryptographic protocols designed to provide communication security over the Internet. They use X.509 certificates and hence asymmetric cryptography to authenticate the counterparty with whom they are communicating, and to exchange a symmetric key. This session key is then used to encrypt data flowing between the parties.1
- TLS/SSL Server Certificates
- TLS/SSL Client Certificates
- Supported Cryptographic Protocols and Cipher Suites
If it is not, WinSCP will generate a warning stating that the certificate is not valid. Whether or not to trust such certificate is your choice. If you are connecting within a company network, you might feel that all the network users are on the same side and spoofing attacks are unlikely, so you might choose to trust the certificate without checking it. If you are connecting across a hostile network (such as the Internet), you should check with your system administrator, perhaps by telephone or in person.
Learn also how to accept certificate automatically in script.
The client certificate typically needs to be signed by a certificate authority trusted by the server.
Supported client certificate file formats are:
- Personal Information Exchange – PCKS #12 (
- Base64 encoded PEM X.509 (
- containing both private key and the certificate;
- containing a private key only, with certificate in a separate file. The certificate needs to have the same base name as the private key, with
.cerextensions and be in the Base64 encoded PEM X.509 format or binary DER format.
WinSCP supports TLS 1.0–1.3. The TLS 1.0 and 1.1 are disabled by default, to protect you from their known serious vulnerabilities. Obsolete SSL of any version is not supported.
See list of supported cipher suites.