openssh uses its own format for public keys and certificates, but does seem to use a standard PEM / PKCS#1 format for private keys. I'm trying to figure out how to use xca to manage openssh keys and certificates.
My best guess is that I can use xca to generate the private keys, then export them and use ssh-keygen to produce openssh public keys and certificates.
Has anyone else tried this? Any tips or other ideas about the process?
Thanks.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
OpenSSH certificates are quite different from x509 certificates. The only common thing is the name "certificate" and the idea of bundling a public key with user-information and sign it.
The file format of SSH public keys is pretty simple.
Adding import/export support for them to XCA shouldn't be that hard.
The SSH-certificate is an extension of the SSH-public-key and
the SSH-public-key import function would be able to import
the public key part of an SSH-certificate.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Adding import/export support for them to XCA shouldn't be that hard
Does that mean you might consider adding it to a future xca release? That would be great. I would be happy to test or provide any other help possible.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
yesterday night I had some time to add SSH-Public-Key import/export functionality. It seems to work fine. https://sourceforge.net/p/xca/code/ci/master/tree/
If you need help compiling, just drop me a private mail.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
It's all working fine for me too. If you ever have time to add support for openssh certificates, that would be really awesome. I know, always more feature requests :)
Seriously, thanks again for this very useful tool.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
But as I said before:
OpenSSH certificates are quite different from x509 certificates. The only common thing is the name "certificate" and the idea of bundling a public key with user-information and sign it.
I don't think I will ever implement SSH certificate support. It does not fit.
I saw Roumen's work when I was researching all of this. I wish the openssh group would integrate x509 support into mainstream, but apparently they feel strongly that simple is safer, so I suppose I'll have to live with openssh certs or switch to the customized version.
Thanks again.
Jerry
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
openssh uses its own format for public keys and certificates, but does seem to use a standard PEM / PKCS#1 format for private keys. I'm trying to figure out how to use xca to manage openssh keys and certificates.
My best guess is that I can use xca to generate the private keys, then export them and use ssh-keygen to produce openssh public keys and certificates.
Has anyone else tried this? Any tips or other ideas about the process?
Thanks.
Jerry
OpenSSH certificates are quite different from x509 certificates. The only common thing is the name "certificate" and the idea of bundling a public key with user-information and sign it.
The file format of SSH public keys is pretty simple.
Adding import/export support for them to XCA shouldn't be that hard.
The SSH-certificate is an extension of the SSH-public-key and
the SSH-public-key import function would be able to import
the public key part of an SSH-certificate.
Thanks, Christian!
Hi Jerry,
yesterday night I had some time to add SSH-Public-Key import/export functionality. It seems to work fine.
https://sourceforge.net/p/xca/code/ci/master/tree/
If you need help compiling, just drop me a private mail.
Thanks again Christian!
It's all working fine for me too. If you ever have time to add support for openssh certificates, that would be really awesome. I know, always more feature requests :)
Seriously, thanks again for this very useful tool.
Jerry
You're welcome.
But as I said before:
OpenSSH certificates are quite different from x509 certificates. The only common thing is the name "certificate" and the idea of bundling a public key with user-information and sign it.
I don't think I will ever implement SSH certificate support. It does not fit.
Maybe you want to go the X509 way: http://roumenpetrov.info/openssh/
That's understandable.
I saw Roumen's work when I was researching all of this. I wish the openssh group would integrate x509 support into mainstream, but apparently they feel strongly that simple is safer, so I suppose I'll have to live with openssh certs or switch to the customized version.
Thanks again.
Jerry