0 votes
by (120 points)

Do I need to register for a certificate like you do for HTTPS in order to use SFTP?

If YES, is it integrated with Let's Encrypt ?

Evan

Applies to: Rebex SFTP

1 Answer

0 votes
by (148k points)

SFTP runs over SSH, and although SSH does support X.509 certificates (the same kind used for HTTPS and by Let's Encrypt), this is rarely used. More often, SSH communication is secured by asymmetric keys only. Instead of a certificate, the server (and optionally the client) present it's public key, and proves that it has the corresponding private key (by means of asymmetric algorithm such as RSA, ECDSA or EdDSA).

The drawback to this is that there is no way to actually verify the public key presented is actually the right one - therefore, SFTP/SSH clients usually maintain a list of already-known server keys. Once a server key is added to the list, it's then expected the server will use the same key for subsequent connections, which the client can check by looking it up in the list. See https://www.rebex.net/sftp.net/features/security.aspx#verify-fingerprint for more information about how this can be done with Rebex SFTP.

by (120 points)
Thanks - is there documentation on how to generate anymetric keys?
by (148k points)
by (120 points)
So I need to code it to create a key?  There is no tool to do it?
by (148k points)
There are tools as well:
a) Download and install Rebex SFTP (https://www.rebex.net/sftp.net/download.aspx) along with samples. This will install a key generator tool to "c:\Program Files (x86)\Rebex Components R6.3\samples\bin\KeyGenerator.exe"
b) Download and install or unpack Rebex Buru Server (https://www.rebex.net/buru-sftp-server/download/). Use "burusftp keygen" command to generate keys (see https://www.rebex.net/buru-sftp-server/doc/burusftp/keygen for details)
c) Alternatively, for a third-party option, download puttygen.exe from PuTTY (https://www.chiark.greenend.org.uk/~sgtatham/putty/latest.html). This can also generate keys compatible with Rebex SFTP.
by (120 points)
thanks - will try it later today
...