Discuss this help topic in SecureBlackbox Forum

Create an SSH key from an X.509 certificate

SSH supports X.509 certificates as one form of key authentication. While it is not as powerful and widely used as it is in TLS ecosystem, it still allows to utilize the power of X.509-based PKI in SSH environments.

To use an X.509 certificate with your SSH components - either client- or server-side - you need to convert it to TElSSHKey, a common key container understood by the components. This is done with Import() method:


// Loading the certificate into a TElX509Certificate instance
TElX509Certificate cert = new TElX509Certificate();
int res = cert.LoadFromFileAuto(@"C:\Certs\cert.pfx", "password");
if (res != 0)
	throw new Exception("Bad certificate");

// Importing the certificate to a TElSSHKey object
TElSSHKey key = new TElSSHKey();

// You're all set. You can now use the key object as you do with standard SSH keys:
TElSSHMemoryKeyStorage storage = new TElSSHMemoryKeyStorage();
client.KeyStorage = storage;

To check whether a key your received from the client or server was created from an X.509 certificate, compare its KeyFormat property to TSBSSHKeyFormat.kfX509. If that is the case, you can access the certificate via the TElSSHKey.Certificate property. You can also use any other properties of the key object (such as FingerprintSHA1) as you do with regular keys.

How To articles about SSH keys

Discuss this help topic in SecureBlackbox Forum