Creating SSH Certificates for SFTP using a CA











up vote
0
down vote

favorite
1












I'm a bit confused regarding the order of things to make this happen.



This is what I had in mind:



1 - Generate CA public and private key.



2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).



3 - Generate a user private + public key.



4 - Sign user private key using CA.



5 - Connect to the SFTP server using the private key, username and winscp.



Should this work?










share|improve this question


























    up vote
    0
    down vote

    favorite
    1












    I'm a bit confused regarding the order of things to make this happen.



    This is what I had in mind:



    1 - Generate CA public and private key.



    2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).



    3 - Generate a user private + public key.



    4 - Sign user private key using CA.



    5 - Connect to the SFTP server using the private key, username and winscp.



    Should this work?










    share|improve this question
























      up vote
      0
      down vote

      favorite
      1









      up vote
      0
      down vote

      favorite
      1






      1





      I'm a bit confused regarding the order of things to make this happen.



      This is what I had in mind:



      1 - Generate CA public and private key.



      2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).



      3 - Generate a user private + public key.



      4 - Sign user private key using CA.



      5 - Connect to the SFTP server using the private key, username and winscp.



      Should this work?










      share|improve this question













      I'm a bit confused regarding the order of things to make this happen.



      This is what I had in mind:



      1 - Generate CA public and private key.



      2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).



      3 - Generate a user private + public key.



      4 - Sign user private key using CA.



      5 - Connect to the SFTP server using the private key, username and winscp.



      Should this work?







      ssh certificate certificate-authority






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 15 at 12:50









      JustAGuy

      1134




      1134






















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          1
          down vote













          CAs sign the public key (producing a certificate). They never see the signee's private key.



          Besides that, the workflow seems correct, except for the WinSCP part.



          The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.






          share|improve this answer























          • I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
            – JustAGuy
            Nov 15 at 13:46










          • I guess I'll have to give it a go now :) Cheers.
            – JustAGuy
            Nov 15 at 13:46










          • I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
            – grawity
            Nov 15 at 13:47












          • That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
            – JustAGuy
            Nov 15 at 13:52








          • 1




            @JustAGuy There's Microsoft build of OpenSSH for Windows.
            – Martin Prikryl
            Nov 15 at 15:12











          Your Answer








          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "3"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375669%2fcreating-ssh-certificates-for-sftp-using-a-ca%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown

























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          1
          down vote













          CAs sign the public key (producing a certificate). They never see the signee's private key.



          Besides that, the workflow seems correct, except for the WinSCP part.



          The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.






          share|improve this answer























          • I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
            – JustAGuy
            Nov 15 at 13:46










          • I guess I'll have to give it a go now :) Cheers.
            – JustAGuy
            Nov 15 at 13:46










          • I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
            – grawity
            Nov 15 at 13:47












          • That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
            – JustAGuy
            Nov 15 at 13:52








          • 1




            @JustAGuy There's Microsoft build of OpenSSH for Windows.
            – Martin Prikryl
            Nov 15 at 15:12















          up vote
          1
          down vote













          CAs sign the public key (producing a certificate). They never see the signee's private key.



          Besides that, the workflow seems correct, except for the WinSCP part.



          The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.






          share|improve this answer























          • I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
            – JustAGuy
            Nov 15 at 13:46










          • I guess I'll have to give it a go now :) Cheers.
            – JustAGuy
            Nov 15 at 13:46










          • I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
            – grawity
            Nov 15 at 13:47












          • That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
            – JustAGuy
            Nov 15 at 13:52








          • 1




            @JustAGuy There's Microsoft build of OpenSSH for Windows.
            – Martin Prikryl
            Nov 15 at 15:12













          up vote
          1
          down vote










          up vote
          1
          down vote









          CAs sign the public key (producing a certificate). They never see the signee's private key.



          Besides that, the workflow seems correct, except for the WinSCP part.



          The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.






          share|improve this answer














          CAs sign the public key (producing a certificate). They never see the signee's private key.



          Besides that, the workflow seems correct, except for the WinSCP part.



          The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.







          share|improve this answer














          share|improve this answer



          share|improve this answer








          edited Nov 15 at 13:54

























          answered Nov 15 at 13:40









          grawity

          228k35477540




          228k35477540












          • I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
            – JustAGuy
            Nov 15 at 13:46










          • I guess I'll have to give it a go now :) Cheers.
            – JustAGuy
            Nov 15 at 13:46










          • I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
            – grawity
            Nov 15 at 13:47












          • That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
            – JustAGuy
            Nov 15 at 13:52








          • 1




            @JustAGuy There's Microsoft build of OpenSSH for Windows.
            – Martin Prikryl
            Nov 15 at 15:12


















          • I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
            – JustAGuy
            Nov 15 at 13:46










          • I guess I'll have to give it a go now :) Cheers.
            – JustAGuy
            Nov 15 at 13:46










          • I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
            – grawity
            Nov 15 at 13:47












          • That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
            – JustAGuy
            Nov 15 at 13:52








          • 1




            @JustAGuy There's Microsoft build of OpenSSH for Windows.
            – Martin Prikryl
            Nov 15 at 15:12
















          I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
          – JustAGuy
          Nov 15 at 13:46




          I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
          – JustAGuy
          Nov 15 at 13:46












          I guess I'll have to give it a go now :) Cheers.
          – JustAGuy
          Nov 15 at 13:46




          I guess I'll have to give it a go now :) Cheers.
          – JustAGuy
          Nov 15 at 13:46












          I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
          – grawity
          Nov 15 at 13:47






          I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
          – grawity
          Nov 15 at 13:47














          That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
          – JustAGuy
          Nov 15 at 13:52






          That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
          – JustAGuy
          Nov 15 at 13:52






          1




          1




          @JustAGuy There's Microsoft build of OpenSSH for Windows.
          – Martin Prikryl
          Nov 15 at 15:12




          @JustAGuy There's Microsoft build of OpenSSH for Windows.
          – Martin Prikryl
          Nov 15 at 15:12


















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375669%2fcreating-ssh-certificates-for-sftp-using-a-ca%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          Popular posts from this blog

          Plaza Victoria

          Puebla de Zaragoza

          Musa