Creating SSH Certificates for SFTP using a CA
up vote
0
down vote
favorite
I'm a bit confused regarding the order of things to make this happen.
This is what I had in mind:
1 - Generate CA public and private key.
2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).
3 - Generate a user private + public key.
4 - Sign user private key using CA.
5 - Connect to the SFTP server using the private key, username and winscp.
Should this work?
ssh certificate certificate-authority
add a comment |
up vote
0
down vote
favorite
I'm a bit confused regarding the order of things to make this happen.
This is what I had in mind:
1 - Generate CA public and private key.
2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).
3 - Generate a user private + public key.
4 - Sign user private key using CA.
5 - Connect to the SFTP server using the private key, username and winscp.
Should this work?
ssh certificate certificate-authority
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm a bit confused regarding the order of things to make this happen.
This is what I had in mind:
1 - Generate CA public and private key.
2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).
3 - Generate a user private + public key.
4 - Sign user private key using CA.
5 - Connect to the SFTP server using the private key, username and winscp.
Should this work?
ssh certificate certificate-authority
I'm a bit confused regarding the order of things to make this happen.
This is what I had in mind:
1 - Generate CA public and private key.
2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).
3 - Generate a user private + public key.
4 - Sign user private key using CA.
5 - Connect to the SFTP server using the private key, username and winscp.
Should this work?
ssh certificate certificate-authority
ssh certificate certificate-authority
asked Nov 15 at 12:50
JustAGuy
1134
1134
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
1
down vote
CAs sign the public key (producing a certificate). They never see the signee's private key.
Besides that, the workflow seems correct, except for the WinSCP part.
The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.
I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
– JustAGuy
Nov 15 at 13:46
I guess I'll have to give it a go now :) Cheers.
– JustAGuy
Nov 15 at 13:46
I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
– grawity
Nov 15 at 13:47
That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
– JustAGuy
Nov 15 at 13:52
1
@JustAGuy There's Microsoft build of OpenSSH for Windows.
– Martin Prikryl
Nov 15 at 15:12
|
show 4 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
CAs sign the public key (producing a certificate). They never see the signee's private key.
Besides that, the workflow seems correct, except for the WinSCP part.
The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.
I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
– JustAGuy
Nov 15 at 13:46
I guess I'll have to give it a go now :) Cheers.
– JustAGuy
Nov 15 at 13:46
I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
– grawity
Nov 15 at 13:47
That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
– JustAGuy
Nov 15 at 13:52
1
@JustAGuy There's Microsoft build of OpenSSH for Windows.
– Martin Prikryl
Nov 15 at 15:12
|
show 4 more comments
up vote
1
down vote
CAs sign the public key (producing a certificate). They never see the signee's private key.
Besides that, the workflow seems correct, except for the WinSCP part.
The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.
I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
– JustAGuy
Nov 15 at 13:46
I guess I'll have to give it a go now :) Cheers.
– JustAGuy
Nov 15 at 13:46
I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
– grawity
Nov 15 at 13:47
That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
– JustAGuy
Nov 15 at 13:52
1
@JustAGuy There's Microsoft build of OpenSSH for Windows.
– Martin Prikryl
Nov 15 at 15:12
|
show 4 more comments
up vote
1
down vote
up vote
1
down vote
CAs sign the public key (producing a certificate). They never see the signee's private key.
Besides that, the workflow seems correct, except for the WinSCP part.
The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.
CAs sign the public key (producing a certificate). They never see the signee's private key.
Besides that, the workflow seems correct, except for the WinSCP part.
The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.
edited Nov 15 at 13:54
answered Nov 15 at 13:40
grawity
228k35477540
228k35477540
I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
– JustAGuy
Nov 15 at 13:46
I guess I'll have to give it a go now :) Cheers.
– JustAGuy
Nov 15 at 13:46
I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
– grawity
Nov 15 at 13:47
That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
– JustAGuy
Nov 15 at 13:52
1
@JustAGuy There's Microsoft build of OpenSSH for Windows.
– Martin Prikryl
Nov 15 at 15:12
|
show 4 more comments
I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
– JustAGuy
Nov 15 at 13:46
I guess I'll have to give it a go now :) Cheers.
– JustAGuy
Nov 15 at 13:46
I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
– grawity
Nov 15 at 13:47
That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
– JustAGuy
Nov 15 at 13:52
1
@JustAGuy There's Microsoft build of OpenSSH for Windows.
– Martin Prikryl
Nov 15 at 15:12
I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
– JustAGuy
Nov 15 at 13:46
I'm awake of that. It means that I will have to convert the key to a ppk format, which WINSCP offers right out of the box as it detects something else.
– JustAGuy
Nov 15 at 13:46
I guess I'll have to give it a go now :) Cheers.
– JustAGuy
Nov 15 at 13:46
I guess I'll have to give it a go now :) Cheers.
– JustAGuy
Nov 15 at 13:46
I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
– grawity
Nov 15 at 13:47
I am not talking about the OpenSSH key format. Converting the key alone gives you nothing, because the client still won't be able to send the signed certificate to the server.
– grawity
Nov 15 at 13:47
That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
– JustAGuy
Nov 15 at 13:52
That sounds strange... If the conversion is useless then why is it offering it automatically? Better yet, what would it take to do it right?
– JustAGuy
Nov 15 at 13:52
1
1
@JustAGuy There's Microsoft build of OpenSSH for Windows.
– Martin Prikryl
Nov 15 at 15:12
@JustAGuy There's Microsoft build of OpenSSH for Windows.
– Martin Prikryl
Nov 15 at 15:12
|
show 4 more comments
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fsuperuser.com%2fquestions%2f1375669%2fcreating-ssh-certificates-for-sftp-using-a-ca%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown