1. Create root CA, intermediate CA and host certificate (use CA/Browser Forum Baseline Requirements as guidance, when in doubt). Host certificate CN and SAN entries should match hostname of FTP server.
2. Import root CA to client machine trusted certificates store (using certlm.msc, for example).
3. Configure FTP server with enforced TLS (let's say pure-ftpd with TLS=3).
4. Configure certificate chain on FTP server: host private, host public, intermediate CA, optionally root CA at end (root CA generally shouldn't be sent, as client should have it in own trusted CA store).
5. Try to connect to this FTP server using WinSCP and following settings FTP, explicit TLS.
Outcome: "Warning: The server's certificate is not known." popup message. See attached log file for details.
Expected outcome: X.509 certificate chain successfully validated, connection established. It should work as in HTTPS server using same chain and web browser as client.