Tunnel – Allow certificate with private key :: Support Forum

davidmrlane
Joined:: 2024-08-29
Posts:: 3
Location:: UK

Tunnel – Allow certificate with private key

2024-08-29 10:07

Can the option for a certificate please be added to the Tunnel settings as there is on the Authentication page?

I am using Azure temporary SSH keys, and when WinSCP converts them from OpenSSH format to ppk that doesn't bundle in the accompanying certificate that is required.

Screenshot 2024-08-29 100026.png (41.52 KB)

Description: Certificate option to use with private key

Screenshot 2024-08-29 100119.png (30.7 KB)

Description: Option to use certificate to use with private key is missing

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,210
Location:: Prague, Czechia

Re: Tunnel - Allow certificate with private key

2024-08-29

davidmrlane wrote:

and when WinSCP converts them from OpenSSH format to ppk that doesn't bundle in the accompanying certificate that is required.

It should. If the certificate is present in the same folder and follows the standard naming format with -cert.pub suffix:
https://winscp.net/eng/docs/ui_login_authentication#convert
Do you have a different experience?

Reply with quote

davidmrlane
Joined:: 2024-08-29
Posts:: 3
Location:: UK

2024-08-29 14:54

Hi Martin, thank you for your prompt reply, and yes that did work :)

When you use:

az ssh config --file ./.ssh/config --ip *

It downloads: id_rsa, id_rsa.pub, id_rsa.pub-aadcert.pub. These are only valid for 1 hour so everytime I want to use WinSCP I have to (rename aadcert.pub and) convert them to ppk.

Any chance of supporting OpenSSH format keys as well and reading the ssh config file?
Thanks,
David

Reply with quote

martin◆ Site Admin
Joined:: 2002-12-10
Posts:: 41,210
Location:: Prague, Czechia

2024-09-02

You can automate that:

az ssh config --file ./.ssh/config --ip *
ren id_rsa-aadcert.pub id_rsa-cert.pub
winscp.com /keygen id_rsa /output=id_rsa.ppk

Untested, but it should give you the idea.
See https://winscp.net/eng/docs/commandline#keygen
Maybe you can also use --certificate-file switch to specify the "correct" name of the certificate file on the az ssh config commandline to avoid the need to rename it:
https://learn.microsoft.com/en-us/cli/azure/ssh#az-ssh-config-optional-parameters

Reply with quote

davidmrlane
Joined:: 2024-08-29
Posts:: 3
Location:: UK

2024-09-02 11:48

Hi Martin,

After I had renamed the certificate to id_rsa-cert.pub, the /keygen on the cli didn't detect it automatically and still needed it as parameter. Thanks for your hints!

rm $env:USERPROFILE\az_ssh_config\all_ips -r; az ssh config --file $env:USERPROFILE\config --ip * --overwrite --yes -force; & "C:\Program Files (x86)\WinSCP\WinSCP.exe" /keygen $env:USERPROFILE\az_ssh_config\all_ips\id_rsa /certificate=$env:USERPROFILE\az_ssh_config\all_ips\id_rsa.pub-aadcert.pub /output=$env:USERPROFILE\az_ssh_config\all_ips\id_rsa.ppk