Steps:
- Create root CA, intermediate CA and host certificate (use CA/Browser Forum Baseline Requirements as guidance, when in doubt). Host certificate CN and SAN entries should match hostname of FTP server.
- Import root CA to client machine trusted certificates store (using certlm.msc, for example).
- Configure FTP server with enforced TLS (let's say pure-ftpd with TLS=3).
- Configure certificate chain on FTP server: host private, host public, intermediate CA, optionally root CA at end (root CA generally shouldn't be sent, as client should have it in own trusted CA store).
- Try to connect to this FTP server using WinSCP and following settings FTP, explicit TLS.
Outcome:
"Warning: The server's certificate is not known." popup message. See attached log file for details.
Expected outcome: X.509 certificate chain successfully validated, connection established. It should work as in HTTPS server using same chain and web browser as client.