====== Ubuntu - Certificates - Convert keys between openssl and openssh ======

===== OpenSSL =====

The following command

<code bash>
openssl req -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.pem -nodes
</code>

generates a self-signed certificate, and produces private.pem and public.pem.

----

To extract an OpenSSH compatible public key from it, you can just run:

<code bash>
ssh-keygen -f private.pem -y > private.pub
</code>

<WRAP todo>
**NOTE**: Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS8 format for keys.

So, to extract the public key from the certificate issue

<code bash>
openssl x509 -in certificate.pem -noout -pubkey > pubkey.pem
</code>

You need to use following command to convert it to authorized_keys entry

<code bash>
ssh-keygen -i -m PKCS8 -f pubkey.pem
</code>

  * **-out** option of the req command of OpenSSL produces certificate request rather than public key.

To extract public key in the PKCS#8 format, understandable by import function of ssh-keygen use following command.

<code bash>
openssl req -in public.pem -noout -pubkey
</code>

</WRAP>

----

===== OpenSSH =====

The command

<code bash>
ssh-keygen -t rsa -f rsa
</code>

produces rsa and rsa.pub

**ssh-keygen** can be used to convert public keys from SSH formats in to PEM formats suitable for OpenSSL.  Private keys are normally already stored in a PEM format suitable for both.

The following command will convert the .pub file into the pem format for you.

<code bash>
ssh-keygen -f rsa.pub -e -m pem
</code>

<WRAP todo>
Found that -m pem did not give an openssl compatible key but -m PKCS8 did.

Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS#8 format for keys.
</WRAP>

The ssh-keygen also supports conversion into various other formats, for more information, see the [[http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1|man page]].

----

===== Convert from OpenSSH to OpenSSL =====

Is it possible to convert from the format of rsa to private.pem and vice-a-versa?

<code>
ssh-keygen -f test-user
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in test-user.
Your public key has been saved in test-user.pub.
The key fingerprint is:
ff:36:f1:74:c7:0d:4e:da:79:5c:96:27:2c:2c:4e:b6 john@sharewiz.net
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|           . .  .|
|          + o =.+|
|        S+ o * B+|
|         .E o = B|
|          .  + o.|
|           .o .  |
|           ...   |
+-----------------+
$ openssl req -x509 -days 365 -new -key test-user -out test-user-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

$ ls -l test-user*
-rw------- 1 john john 1675 Mar 18 21:52 test-user
-rw-r--r-- 1 john john 1229 Mar 18 21:53 test-user-cert.pem
-rw-r--r-- 1 john john  392 Mar 18 21:52 test-user.pub
</code>

From these, both **test-user** and **test-user-cert.pem** files are critical to preserve, where as **test-user.pub** can always be recreated from **test-user** as needed.