Tunnel – Allow certificate with private key

Advertisement

davidmrlane
Joined:
Posts:
3
Location:
UK

Tunnel – Allow certificate with private key

Can the option for a certificate please be added to the Tunnel settings as there is on the Authentication page?

I am using Azure temporary SSH keys, and when WinSCP converts them from OpenSSH format to ppk that doesn't bundle in the accompanying certificate that is required.

Description: Certificate option to use with private key

Screenshot 2024-08-29 100026.png

Description: Option to use certificate to use with private key is missing

Screenshot 2024-08-29 100119.png

Reply with quote

Advertisement

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

Re: Tunnel - Allow certificate with private key

davidmrlane wrote:

and when WinSCP converts them from OpenSSH format to ppk that doesn't bundle in the accompanying certificate that is required.
It should. If the certificate is present in the same folder and follows the standard naming format with -cert.pub suffix:
https://winscp.net/eng/docs/ui_login_authentication#convert
Do you have a different experience?

Reply with quote

davidmrlane
Joined:
Posts:
3
Location:
UK

Hi Martin, thank you for your prompt reply, and yes that did work :)

When you use:
az ssh config --file ./.ssh/config --ip *
It downloads: id_rsa, id_rsa.pub, id_rsa.pub-aadcert.pub. These are only valid for 1 hour so everytime I want to use WinSCP I have to (rename aadcert.pub and) convert them to ppk.

Any chance of supporting OpenSSH format keys as well and reading the ssh config file?
Thanks,
David

Reply with quote

martin
Site Admin
martin avatar
Joined:
Posts:
41,518
Location:
Prague, Czechia

You can automate that:
az ssh config --file ./.ssh/config --ip *
ren id_rsa-aadcert.pub id_rsa-cert.pub
winscp.com /keygen id_rsa /output=id_rsa.ppk
Untested, but it should give you the idea.
See https://winscp.net/eng/docs/commandline#keygen
Maybe you can also use --certificate-file switch to specify the "correct" name of the certificate file on the az ssh config commandline to avoid the need to rename it:
https://learn.microsoft.com/en-us/cli/azure/ssh#az-ssh-config-optional-parameters

Reply with quote

davidmrlane
Joined:
Posts:
3
Location:
UK

Hi Martin,

After I had renamed the certificate to id_rsa-cert.pub, the /keygen on the cli didn't detect it automatically and still needed it as parameter. Thanks for your hints!
rm $env:USERPROFILE\az_ssh_config\all_ips -r; az ssh config --file $env:USERPROFILE\config --ip * --overwrite --yes -force; & "C:\Program Files (x86)\WinSCP\WinSCP.exe" /keygen $env:USERPROFILE\az_ssh_config\all_ips\id_rsa /certificate=$env:USERPROFILE\az_ssh_config\all_ips\id_rsa.pub-aadcert.pub /output=$env:USERPROFILE\az_ssh_config\all_ips\id_rsa.ppk

Reply with quote

Advertisement

Advertisement

You can post new topics in this forum