Post a reply

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

martin

Indeed, you are right, the /keygen does not detect the certificate automatically. Thanks for the correction.
davidmrlane

Hi Martin,

After I had renamed the certificate to id_rsa-cert.pub, the /keygen on the cli didn't detect it automatically and still needed it as parameter. Thanks for your hints!
rm $env:USERPROFILE\az_ssh_config\all_ips -r; az ssh config --file $env:USERPROFILE\config --ip * --overwrite --yes -force; & "C:\Program Files (x86)\WinSCP\WinSCP.exe" /keygen $env:USERPROFILE\az_ssh_config\all_ips\id_rsa /certificate=$env:USERPROFILE\az_ssh_config\all_ips\id_rsa.pub-aadcert.pub /output=$env:USERPROFILE\az_ssh_config\all_ips\id_rsa.ppk
martin

You can automate that:
az ssh config --file ./.ssh/config --ip *
ren id_rsa-aadcert.pub id_rsa-cert.pub
winscp.com /keygen id_rsa /output=id_rsa.ppk

Untested, but it should give you the idea.
See https://winscp.net/eng/docs/commandline#keygen
Maybe you can also use --certificate-file switch to specify the "correct" name of the certificate file on the az ssh config commandline to avoid the need to rename it:
https://learn.microsoft.com/en-us/cli/azure/ssh#az-ssh-config-optional-parameters
davidmrlane

Hi Martin, thank you for your prompt reply, and yes that did work :)

When you use:
az ssh config --file ./.ssh/config --ip *

It downloads: id_rsa, id_rsa.pub, id_rsa.pub-aadcert.pub. These are only valid for 1 hour so everytime I want to use WinSCP I have to (rename aadcert.pub and) convert them to ppk.

Any chance of supporting OpenSSH format keys as well and reading the ssh config file?
Thanks,
David
martin

Re: Tunnel - Allow certificate with private key

davidmrlane wrote:

and when WinSCP converts them from OpenSSH format to ppk that doesn't bundle in the accompanying certificate that is required.

It should. If the certificate is present in the same folder and follows the standard naming format with -cert.pub suffix:
https://winscp.net/eng/docs/ui_login_authentication#convert
Do you have a different experience?
davidmrlane

Tunnel – Allow certificate with private key

Can the option for a certificate please be added to the Tunnel settings as there is on the Authentication page?

I am using Azure temporary SSH keys, and when WinSCP converts them from OpenSSH format to ppk that doesn't bundle in the accompanying certificate that is required.