2

I am trying to get a ssh cert for sftp setup with 3rd party vendor in pem format and should be SSH2, using RSA algo with the Key lengths of 2048.

Do the below steps make some sense (Please correct me if I am wrong)

  1. First, I need to create a key pair. ssh-keygen -f ssh_host_rsa_key -N '' -b 2048 -t rsa
  2. Convert them to ssh2/RFC4716 format. ssh-keygen -ef ssh_host_rsa_key -mRFC4716(private key)
  3. Crate a CA key pair and try to sign the pub key with CA private key and derive the SSH cert.
  4. Once we have the SSH cert, convert it into PEM format.

I followed the below process but struck here.

  1. First, created a key pair with 2048 length (command: ssh-keygen -f ssh_host_rsa_key -N ‘’ -b 2048 -t rsa) Private key starts with (BEGIN OPENSSH PRIVATE KEY) Public key starts with (ssh-rsa)

  2. Converted the private key( I believe private key will contain keypair(pri key+ pub key_) to SSH2/RFC4716 format and named the new file ssh_host_rsa_key_4716) Command: ssh-keygen -ef ssh_host_rsa_key -mRFC4716 > ssh_host_rsa_key_4716)

The private key changed to SSH2 format but public key is still (starts with ssh-rsa). So I manually converted the public key to ssh2 format.

However, when I created pair of CA keys and tried to sign the public key with CA private key, it took the original pub key with(ssh-rsa format) but not the converted ssh2 format pub key.

Can you please give your input or any guidance?

I tried different key combinations but for some reason I am missing some basic things. Trying to generate an ssh cert for SFTP setup but stuck on the way.

Improve this question
9
  • Are you sure the vendor supports verifying OpenSSH-format certificates? If they require a pubkey in RFC4716 format, they most likely support only raw pubkeys. (And, why does the private key need to be in a specific format? The server doesn't know or care what format the privkey is in.)
    – grawity_u1686
    Commented May 10, 2023 at 12:22
  • thanks for the reponse @user 1686. I am not sure whey they need this format, I will check with them but is this scenario possible by any chance and work successfully ?
    – raviv0731
    Commented May 10, 2023 at 13:24
  • It's technically possible (all SSH pubkey formats can hold any key type, you might just need to sign it first and convert after), but practically unlikely.
    – grawity_u1686
    Commented May 10, 2023 at 13:26
  • are the below steps look ok to get this done? 1.First, I need to create a key pair. ( ssh-keygen -f ssh_host_rsa_key -N '' -b 2048 -t rsa) 2.Convert them to ssh2/RFC4716 format. (ssh-keygen -ef ssh_host_rsa_key -mRFC4716(private key) 3.Crate a CA key pair and try to sign the pub key with CA private key and get the SSH cert. 4. Once we have the SSH cert, convert it into PEM format.
    – raviv0731
    Commented May 10, 2023 at 13:45
  • I don't really understand why the CA is involved here at all. What purpose does signing the user pubkey serve? It would make sense if you were using an existing, established internal CA to sign it, but you're creating a brand new CA – which the server doesn't know about – do you really need it at all?
    – grawity_u1686
    Commented May 10, 2023 at 13:55

1 Answer 1

Reset to default
0

Issue is resolved using public/private key authentication. This can be closed. Thanks user1686

Improve this answer
1
  • 1
    Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
    – Community Bot
    Commented Jun 12, 2023 at 7:59

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .