Creating SSH Certificates for SFTP using a CA
I'm a bit confused regarding the order of things to make this happen.
This is what I had in mind:
1 - Generate CA public and private key.
2 - Use CA Public Key with SFTP server (TrustedUserCAKeys).
3 - Generate a user private + public key.
4 - Sign user private key using CA.
5 - Connect to the SFTP server using the private key, username and winscp.
Should this work?
Solution 1:
CAs sign the public key (producing a certificate). They never see the signee's private key.
Besides that, the workflow seems correct, except for the WinSCP part.
The certificates used by TrustedUserCAKeys are a format invented by OpenSSH. Currently no other software supports this kind of certificate authentication – here's the PuTTY wishlist entry for them. Because WinSCP uses PuTTY as its SSH core, it does not have OpenSSH certificate support, and won't have it until PuTTY does.