support for OpenSSH's certificate system

[4bo]

As of version 0.78, putty supports OpenSSH's certificate system (in PuTTY Configuration, from Connection -> SSH -> Auth -> Credentials -> Certificate to use with the privatekey). Is there any way to use this kind of cert while corresponding private key is stored in an HSM?

[NoMoreFood]

I don’t see a clear path to implementation give how unique the OpenSSH certificates are. Curious if anyone else has input.

[gamringer]

I got putty-cac 0.78 to work with openssh certs, at least for CAPI certs (tested with a PIV-I card), so it may just work the same with PKCS certs (HSM via PKCS11).

1. Create a new putty session
2. Set the remote hostname, default username in usual locations
3. In Connection -> SSH -> Auth -> Credentials -> Certificate to use with the privatekey set the openssh cert corresponding to the key you want to use
4. In `Connection -> SSH -> Certificate -> Set CAPI Cert (Set PKCS Cert) in your case
5. Open your connection

I think this is fine when working with directly with putty.exe, but it won't work when using plink and pageant. The next step would be to add a way in pageant to associate a key with an openssh cert in a persistent way and let putty use it in the same way as putty.exe does. Eventually perhaps even take the openssh cert directly from a SAN value (type uri, value of urn:example:{base64 encoded cert} or something) or a custom extension in the X509 certificate matching the key, either in CAPI or in the HSM (find by label with object type certificate)