Requirements: Hostname certificate already installed, check that these files exist:
/etc/pki/tls/private/hostname.key
/etc/pki/tls/certs/hostname.crt

Create Certificate File for pure-ftpd

cat /etc/pki/tls/private/hostname.key > /etc/pki/tls/private/pure-ftpd.pem
cat /etc/pki/tls/certs/hostname.crt >> /etc/pki/tls/private/pure-ftpd.pem
chmod 600 /etc/pki/tls/private/pure-ftpd.pem

Edit File: /etc/pure-ftpd/pure-ftpd.conf end set this values:

TLS 1
TLSCipherSuite HIGH
CertFile /etc/pki/tls/private/pure-ftpd.pem

Available options :
TLS 0 : disable SSL/TLS encryption layer (default on install).
TLS 1 : accept both traditional and encrypted sessions.
TLS 2 : refuse connections that don't use SSL/TLS security mechanisms, including anonymous sessions.

In the latest centos7 version 0.9.8.757+ you can install it with command:

sh /scripts/install_pure-ftpd_tls

How to connect
FileZilla example details
Host: ftpes://HOSTNAME
Username: USERNAME
Password: PASSWORD
Port: 21

There are three types of FTP connections and SFTP:

FTP (port 21)
Plain, unencrypted FTP that defaults over port 21. Most web browsers support basic FTP.
Example for FileZilla, for Host: ftp//:SERVER-IP

FTPS (port 990)
Implicit SSL/TLS encrypted FTP that works just like HTTPS. Security is enabled with SSL as soon as the connection starts. The default FTPS port is 990. This protocol was the first version of encrypted FTP available, and while considered deprecated, is still widely used. None of the major web browsers support FTPS.
Example for FileZilla, for Host: ftps//:SERVER-IP

FTPES (port 21)
Explicit FTP over SSL/TLS. This starts out as plain FTP over port 21, but through special FTP commands is upgraded to TLS/SSL encryption. This upgrade usually occurs before the user credentials are sent over the connection. FTPES is a somewhat newer form of encrypted FTP (although still over a decade old), and is considered the preferred way to establish encrypted connections because it can be more firewall-friendly. None of the major web browsers support FTPES.
Example for FileZilla, for Host: ftpes//:SERVER-IP

SFTP (port 22 or custom ssh port)
SFTP (Secure File Transfer Protocol), SFTP runs over SSH, but because SFTP runs over SSH it also has an issue that you can't lock users into the home folder and because of that, we don't recommend it for regular users (users can browse system files/folders). We recommend that you allow SFTP only via "/usr/libexec/openssh/sftp-server" shell or if you have a cloudlinux with cage-fs then you should use /bin/bash.

NOTE
The only secure solution is a Cloudlinux or CWP Secure Kernel for the secure SFTP as with any other users will be able to exit their home folder and see other users or list system folders/files.

You can change the shell for a user in cwp.admin (required for SFTP/Jailkit/Bash only)
Left Menu -> Security -> Shell Access, then select a user
* Default shell set for users in cwp is: /sbin/nologin (this disables SSH/SFTP)
* The securest option for the shell is Jailkit with CWP Secure Kernel

* Please note that enabling Jailkit for each user it ads an additional 50-100Mb on user disk space.

In cwp you have two types of FTP users: system and virtual.

System users
===============
System users are linux users, you can login into to FTP by using access details of the control panel.
Linux users are created from cwp.admin left menu --> User Accounts

Virtual users
===============
Virtual users are users created with ftp software from cwp.user panel.
Virtual users have the same permissions like the main user of the account.

With Virtual users you get possibility to make unlimited number of FTP accounts for the same user account.

All users are chroot-ed into the home folder of the system user.

If you need to enable sftp access for some of your clients and you don't want to give them the full shell access /bin/bash or /bin/sh, now you can do that with a few clicks in your cwp.admin.

In your cwp.admin go to
Left menu --> Security --> Shell Access
Now select the user and set the shell to sftp-server and that is it.

***NOTE: This access is NOT chroot-ing users into they home folder like via regular ftp.
But its much more better and secure then giving a user the full shell access like /bin/bash or /bin/sh .

Video instructions

How to enable passive ports on your pure-ftpd server and CSF Firewall
When transferring files on/from your ftp server you will need to have passive ports specified and allowed in the firewall.

Firstly lets edit pure-ftpd configuration file

nano /etc/pure-ftpd/pure-ftpd.conf

Uncomment (remove # at beginning of the line) PassivePortRange and specify the passive port range:

PassivePortRange 35000 50000

* If this line is missing then simply add it at the end of the file.

Restart pure-ftpd to load the new configuration

service pure-ftpd restart

Next steep is to set the CSF firewall configuration
In file /etc/csf/csf.conf add the same port range under TCP_IN and TCP_OUT

nano /etc/csf/csf.conf

In lines TCP_IN and TCP_OUT add 30000:50000, example

# Allow incoming TCP ports
TCP_IN = "20,21,22,25,53,80,110,143,443,465,587,993,995,2030,2031,30000:50000,6666"

# Allow outgoing TCP ports
TCP_OUT = "20,21,22,25,53,80,110,113,443,2030,2031,30000:50000,993,995"

Now lets reload csf firewall configuration

csf -r

Video instructions

that is it, enjoy!

Changes required in pure-ftpd configuration file: /etc/pure-ftpd/pure-ftpd.conf
# Don't allow authenticated users - have a public anonymous FTP only.

AnonymousOnly no

# Disallow anonymous connections. Only allow authenticated users.

NoAnonymous yes

Now restart pure-ftpd server

service pure-ftpd restart

If you want to do that for all active connection then you will need to stop pure-ftpd server and kill all pure-ftpd processes.

service pure-ftpd stop
ps uaxf|grep pure-ftp|awk {'print $2'}|xargs kill -9
service pure-ftpd start

How to autoFix your FTP server issue?
- Login to CWP.admin as root
- go to Left Menu --> File Management --> FTP Management
...and that is it.

Simple, if you had any issue once you have opened FTP Management your issue should be resolved.
CWP will auto-check for few well known issues and display you a message about what issue is fixed.

If you still have the same issue then you should contact support.