ReferenceConfiguration

Certificate path format

Buru SFTP Server uses a specific string format to load X.509 certificates and private keys from the local filesystem or the Windows Certificate Store. This format is used in config.yaml for SSH host keys and FTP certificate groups.

The webconfig.yaml uses a different syntax for HTTPS certificates (structured YAML properties instead of a path string).

Certificate file path

Load a certificate directly from a file:

<path> [; key=<key path>] [; password=<password>]
path <certificate path>required

Path to the certificate file.

key <key path>

Path to a separate private key file. If omitted, the certificate file must contain the private key.

password <password>

Password to decrypt the file. If omitted, the file is assumed to be unencrypted.

Supported file formats:

  • PKCS #12: .pfx, .p12
  • X.509 (DER-encoded): .cer, .crt, .der, .pem
# certificate with a password
- '%ProgramData%\Rebex\BuruSftp\certificates\cert.pfx;password="Very \"secret\" password"'

# certificate with a separate key file
- 'C:\certs\rsa_cert.crt; key=C:\certs\rsa.key'

Certificate store path

Load a certificate from the Windows Certificate Store using the cert: prefix:

cert:\<location>\<store>\<identifier> [; thumbprint=<hex>] [; CA=<CA CN>] [; root=<root CA CN>]
location (CurrentUser | LocalMachine)required

Certificate store location.

store <store name>required

Store name, e.g. My (Personal), Root, CA, WebHosting.

identifier (<CN> | <SAN> | <thumbprint> | '*')required

Common Name (CN), Subject Alternate Name (SAN), hexadecimal thumbprint, or * to match any valid certificate.

thumbprint <hex>

Filter by hexadecimal thumbprint.

CA <issuer CN>

Filter by the issuing Certificate Authority's Common Name.

root <root CA CN>

Filter by the Root CA's Common Name.

# Local Machine Personal store, filtered by CN and CA
- 'cert:\LocalMachine\My\example.com;CA=mycertauthority.com'

# Current User Personal store, by thumbprint
- 'cert:\CurrentUser\My\3aae0a5e776652d58c54e98c644faf97e6b7c546'

If multiple certificates match, the valid certificate with the latest effective date is selected.

Value syntax

The syntax described below is still subject to YAML escaping rules when used in configuration files.

Quoted ("value")Unquoted (value)
DelimiterClosing "Semicolon (;)
\ behaviorEscape character: \" produces ", \\ produces \, otherwise literalAlways literal

Examples:

InputResult
"very \"secret\" password"very "secret" password
very \"secret\" passwordvery \"secret\" password
"C:\Program Files"C:\Program Files
C:\certs\cert.pfxC:\certs\cert.pfx

2.14.1+ Path values (not passwords or other fields) can include environment variables using %NAME% syntax, e.g. %ProgramData%\Rebex\BuruSftp\cert.pfx resolves to C:\ProgramData\Rebex\BuruSftp\cert.pfx.

customization.json5

Previous Page

Supported platforms

Next Page

On this page

Certificate file pathCertificate store pathValue syntax