What Steve describes is correct, assuming that a customer has elected to take one specific approach (arguably the most common approach).  But ultimately, what is needed depends on what the customer decides to do.  In general, there are several basic approaches to obtaining certificates for an FTPS Server and the approach chosen determines what has to be done. 1. The customer can purchase a certificate for the FTPS Server from a well-known and trusted Public CA (e.g. Verisign, Godaddy, etc.).  This may a good choice if the FTPS Server will be exposed to the internet.  In most cases, the Root CA certificate for such a Public CA will already be on the MSP Server and the devices, and hence no certificates will need to be deployed or installed.  Of course, you have to pay for such convenience since the Public CA will charge for certificate issuance and renewal. 2. The customer can issue a certificate to the FTPS Server from a customer-owned and maintained Private CA.  This is a good choice for customers that already maintain a PKS and want to avoid paying a Public CA to issue and renew certificates.  The Root CA certificate for the Private CA will need to be deployed and installed to both the MSP Server and the devices to establish trust of certificates issued by the Private CA.  Note that it is NOT necessary to deploy and install the certificate issued to an FTPS Server to the MSP Server and the devices, since trust of all certificates issued by the Private CA can be established based solely on the trust of Root CA certificate. 3. The customer could use a multi-tier Private CA (e.g. Root and Intermediate CAs).  This is useful when a customer already has such a PKI and wants to leverage it.  If this is done, then ALL CA certificates (Root and Intermediate) will need to be deployed and installed to both the MSP Server and the devices.  Otherwise this is the same as number 2 above.  Note that again it is NOT necessary to deploy and install the certificate issued to an FTPS Server to the MSP Server and the devices. 4. The customer can issue a self-signed certificate to the FTP Server.  This is useful for lab situations but not generally recommended for production scenarios.  If this is done, then the FTPS Server is in essense its own Root CA.  In this special case, the certificate issued to the FTP Server must be deployed and installed to both the MSP Server and the devices, but this is NOT because the Server certificate is needed but because the Server certificate also happens to be the Root CA certificate of the issuing CA.  So this is really a special case of number 2 above.

At a high level, the relay server will need a cert from the implemented CA. Initiate the cert request from the R/S, process and generate the cert on the CA. Then import the cert on the R/S and require SSL communication on the FTP site of the R/S. You'll also need to generate a cert on the CA for the mobile device if both sides of the R/S are using FTPS. Z