Paths to SSH server (host) private keys or certificates (with associated keys). Paths are relative to application installation directory. Arguments such as password can be enclosed in double quotes ("). Use backslash (\) to escape other inner double quotes and backslashes.

2.14.1+ Environment variables can be used in file paths (not passwords or other fields).

# example
  # Path to a key file
  - Z:\keys\ed25519.key

  # Path to a key file with an environment variable 
  - %ProgramData%\Rebex\BuruSftp\keys\ed25519.key
  # Path to an encrypted key file.
  - Z:\keys\ed25519.key; password="The \"strongest\" password"

  # Path to a PKCS#12 certificate
  - Z:\keys\cert.pfx

  # Path to a certificate file with an associated key file.
  - Z:\keys\rsa_cert.crt; key=Z:\keys\rsa.key

  # Path to the certificate store using a thumbprint
  - Cert:\CurrentUser\My\4110908f77c64c0edfc2de6273bfa9a98a9c5ce5
  # Path to the certificate store using CN and CA
  - Cert:\CurrentUser\My\;
  # All private keys from a directory (not recommended)
  - Z:\keys

Path syntax

Private key file path:

<path> [; password="<password>"]
  • password: 2.10.0+ password to decrypt the key file. If not specified, the key file is assumed to be unencrypted.

2.10.0+ Certificate file path:

<path> [; key=<key path>] [; password=<password>]
  • key: path to a private key file associated with the certificate. If not specified, the certificate file is assumed to contain the private key.
  • password: password to decrypt the certificate file. If not specified, the certificate file is assumed to be unencrypted.

2.10.0+ Certificate store path:

cert:\<location>\<store>\<CN, SAN or thumbprint> [; thumbprint=<hex thumbprint>] [; CA=<CN of CA>] [; root=<CN or Root CA>]
  • location can be CurrentUser or LocalMachine
  • store can be e.g. My, Root, CA, etc.
  • CN, SAN or thumbprint can be either of:
    • Common Name (CN), e.g.
    • Subject Alternate Name (SAN), e.g.
    • Thumbprint in hexadecimal format, e.g. 4110908f77c64c0edfc2de6273bfa9a98a9c5ce5
    • * to match any certificate

Supported file formats

Private key formats:

  • PKCS #8 (RFC 5208)
  • OpenSSH/OpenSSL (SSLeay)
  • New OpenSSH
  • PuTTY .ppk

Certificate formats:

  • PKCS #12 (.pfx, .p12)
  • DER-encoded X.509 (.cer, .crt, .der, .pem)

Key generation

Server keys are generated by the installer and stored in <config root>/keys directory, usually C:\ProgramData\Rebex\BuruSftp\keys.

Keys can be also created manually using burusftp keygen or burusftp init command or any third-party tool, such as ssh-keygen, openssl genpkey or PuTTYgen.


When keys section is missing, then keys will be searched for in the following locations: