Yes, you can use OpenSSH CA certificate files for tunnel authentication in WinSCP. Specify the certificate file path in the "CertificateFile" option under advanced SSH settings. Ensure the certificate is valid and paths are correct.

Good Morning Martin,
The PublicKeyFile and DetachedCertificate works really well for the main server. We do not include the certificate in the path specified by the PublicKeyFile ppk file. It is a static one – hence generated one time.

In case of TunnelPublicKeyFile, the ppk file needs to include the certificate as well because we do not have option like TunnelDetachedCertificate. So this needs to be generated additionally everytime we sign the SSH key to generate a certificate. Unlike the the PublicKeyFile and DetachedCertificate combo for the main server which sort of works seamlessly. I guess we can use WinSCP or PuTTYgen command line to generate the ppk everytime, But if WinSCP supports it out of the box, it would be really nice.

Thanks & Regards,
Sendhil

How would TunnelDetachedCertificate help you? You would have to change it every 8 hours too.

Good Morning,
OpenSSH CA certificate files are supported in main server's authentication https://winscp.net/eng/docs/ui_login_authentication#certificate
Is it possible to specify the same in the tunnel authentication parameters? If I use PuTTYgen or WinSCP to generate a ppk file with the certificate it works fine. The OpenSSH CA certificate is valid only for short period of time in our case (8 hours). I saw there is a DetachedCertificate option in the raw settings, is there something like TunnelDetachedCertificate?

Thanks & Regards,
Sendhil