keys

Paths to SSH server (host) private keys or certificates (with associated keys). Paths are relative to application installation directory. Arguments such as password can be enclosed in double quotes ("). Use backslash (\) to escape other inner double quotes and backslashes.

# example
keys:
  # Path to a key file
  - Z:\keys\ed25519.key

  # Path to an encrypted key file.
  - Z:\keys\ed25519.key; password="The \"strongest\" password"

  # Path to a PKCS#12 certificate
  - Z:\keys\cert.pfx

  # Path to a certificate file with an associated key file.
  - Z:\keys\rsa_cert.crt; key=Z:\keys\rsa.key

  # Path to the certificate store using a thumbprint
  - Cert:\CurrentUser\My\4110908f77c64c0edfc2de6273bfa9a98a9c5ce5
  
  # Path to the certificate store using CN and CA
  - Cert:\CurrentUser\My\example.com; CA=mycertauthority.com
  
  # All private keys from a directory (not recommended)
  - Z:\keys

Path syntax

Private key file path:

<path> [; password="<password>"]

password: 2.10.0+ password to decrypt the key file. If not specified, the key file is assumed to be unencrypted.

When the path points to a directory, all files in the directory are scanned for private keys. This feature is not recommended and will be likely removed in future versions.

2.10.0+ Certificate file path:

<path> [; key=<key path>] [; password=<password>]

key: path to a private key file associated with the certificate. If not specified, the certificate file is assumed to contain the private key.
password: password to decrypt the certificate file. If not specified, the certificate file is assumed to be unencrypted.

2.10.0+ Certificate store path:

cert:\<location>\<store>\<CN, SAN or thumbprint> [; thumbprint=<hex thumbprint>] [; CA=<CN of CA>] [; root=<CN or Root CA>]

location can be CurrentUser or LocalMachine
store can be e.g. My, Root, CA, etc.
CN, SAN or thumbprint can be either of:
- Common Name (CN), e.g. example.com
- Subject Alternate Name (SAN), e.g. example.org
- Thumbprint in hexadecimal format, e.g. 4110908f77c64c0edfc2de6273bfa9a98a9c5ce5
- * to match any certificate

When more than one certificate matches the criteria, the one with the latest effective date and is currently valid is used.

Supported file formats

Private key formats:

PKCS #8 (RFC 5208)
OpenSSH/OpenSSL (SSLeay)
New OpenSSH
PuTTY .ppk

Certificate formats:

PKCS #12 (.pfx, .p12)
DER-encoded X.509 (.cer, .crt, .der, .pem)

Supported host key algorithms can be found on dedicated documentation page

Key generation

Server keys are generated by the installer and stored in <config root>/keys directory, usually C:\ProgramData\Rebex\BuruSftp\keys.

Keys can be also created manually using burusftp keygen or burusftp init command or any third-party tool, such as ssh-keygen, openssl genpkey or PuTTYgen.

Remarks

When keys section is missing, then keys will be searched for in the following locations:

<config root>/keys (see configuration files for more details)
<application root>/keys