Creating SSH Certificates for SFTP using a CA

I'm a bit confused regarding the order of things to make this happen.

This is what I had in mind:

1 - Generate CA public and private key.

2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).

3 - Generate a user private + public key.

4 - Sign user private key using CA.

5 - Connect to the SFTP server using the private key, username and winscp.

Should this work?


Solution 1:

CAs sign the public key (producing a certificate). They never see the signee's private key.

Besides that, the workflow seems correct, except for the WinSCP part.

The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.