I needed to set up an FTPS server, after trying a couple of servers and not having any joy I asked on #debian and was recommended to try ProFTPD. It's easy to configure and does all the things we need...

I used this to set up the SSL:

I used this to create the certificates I needed:

-rw-r--r-- 1 root root 1124 2009-03-11 13:49 /etc/inetd.conf
-rw-r--r-- 1 root root 953  2009-03-11 14:57 /etc/proftpd/local.conf
-rw-r--r-- 1 root root 655  2009-03-11 14:39 /etc/proftpd/server.csr
-rw-r--r-- 1 root root 963  2009-03-11 14:32 /etc/proftpd/server.key
-rwxr-xr-x 1 root root 1563 2009-03-11 14:45 /etc/proftpd/sign.sh
-rw-r--r-- 1 root root 2538 2009-03-11 14:50 /etc/ssl/ca.db.certs/01.pem
-rw-r--r-- 1 root root 2538 2009-03-11 14:52 /etc/ssl/ca.db.certs/02.pem
-rw-r--r-- 1 root root 184  2009-03-11 14:52 /etc/ssl/ca.db.index
-rw-r--r-- 1 root root 20   2009-03-11 14:52 /etc/ssl/ca.db.index.attr
-rw-r--r-- 1 root root 92   2009-03-11 14:50 /etc/ssl/ca.db.index.old
-rw-r--r-- 1 root root 3    2009-03-11 14:52 /etc/ssl/ca.db.serial
-rw-r--r-- 1 root root 1155 2009-03-11 14:38 /etc/ssl/certs/ca.crt
-rw-r--r-- 1 root root 951  2009-03-11 14:37 /etc/ssl/private/ca.key

Include /etc/proftpd/local.conf

The local.conf file:

-rw-r--r-- 1 root root 953  2009-03-11 14:57 /etc/proftpd/local.conf

#
# Chroot everyone to their home directory
#
DefaultRoot ~
#
# Configure server for SSL only:
#
<IfModule mod_tls.c>
    TLSEngine on
    TLSLog /var/log/proftpd/tls.log
    # Support both SSLv3 and TLSv1
    TLSProtocol SSLv3 TLSv1
    # Are clients required to use FTP over TLS when talking to this server?
    # Require SSL/TLS on both channels.
    TLSRequired on
    # Server's certificate
    TLSRSACertificateFile /etc/proftpd/server.crt
    TLSRSACertificateKeyFile /etc/proftpd/server.key
    # CA the server trusts
    TLSCACertificateFile /etc/ssl/certs/ca.crt
    # Authenticate clients that want to use FTP over TLS?
    TLSVerifyClient off
    # Allow SSL/TLS renegotiations when the client requests them, but
    # do not force the renegotations.  Some clients do not support
    # SSL/TLS renegotiations; when mod_tls forces a renegotiation, these
    # clients will close the data connection, or there will be a timeout
    # on an idle data connection.
    TLSRenegotiate required off
    #
    # new
    #
    TLSOptions NoCertRequest
    # TLSTimeoutHandshake 60
</IfModule>


Client: