The Perfect Server docs detail usage of certbot/LE for web servers, and openssl for PureFTPd. I believe I understand some reasons about why different methods are used for each, but I'd like to hear it from you guys. My guesses are: 1) LE wasn't supported in the past so the openssl command is just a legacy instruction that hasn't required a change. 2) The openssl command generates a self-signed cert, which some might prefer to getting a cert from a CA, even LE. 3) Some admins might not want a renewing cert for FTP and LE certs have a max 90 day lifetime. But the instructions are provided in the Perfect docs like openssl is the only way to do this, with no indication that LE is an alternative. I can't tell if this is intentional. For secure FTP, is there any reason not to use 4096 bits? There used to be a Java limit that was related to this (I forgot how) but not anymore. Related: The openssl command for dhparam isn't in the Ubuntu Perfect guides, though I know it was added to Debian. For anyone else using LE, I believe the DH file needs to be created for either method, certbot or openssl. The latest details posted by @Yasin Karabulak are awesome - about SNI for PureFTPd. I don't have personal need for this, too small here, but while some folks don't care, for others it's a big deal. I hope that gets separated out into a HowTo so it's not lost to history in the forum. Thanks.