The following command
openssl req -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.pem -nodes
generates a self-signed certificate, and produces private.pem and public.pem.
To extract an OpenSSH compatible public key from it, you can just run:
ssh-keygen -f private.pem -y > private.pub
NOTE: Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS8 format for keys.
So, to extract the public key from the certificate issue
openssl x509 -in certificate.pem -noout -pubkey > pubkey.pem
You need to use following command to convert it to authorized_keys entry
ssh-keygen -i -m PKCS8 -f pubkey.pem
To extract public key in the PKCS#8 format, understandable by import function of ssh-keygen use following command.
openssl req -in public.pem -noout -pubkey
The command
ssh-keygen -t rsa -f rsa
produces rsa and rsa.pub
ssh-keygen can be used to convert public keys from SSH formats in to PEM formats suitable for OpenSSL. Private keys are normally already stored in a PEM format suitable for both.
The following command will convert the .pub file into the pem format for you.
ssh-keygen -f rsa.pub -e -m pem
Found that -m pem did not give an openssl compatible key but -m PKCS8 did.
Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS#8 format for keys.
The ssh-keygen also supports conversion into various other formats, for more information, see the man page.
Is it possible to convert from the format of rsa to private.pem and vice-a-versa?
ssh-keygen -f test-user Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in test-user. Your public key has been saved in test-user.pub. The key fingerprint is: ff:36:f1:74:c7:0d:4e:da:79:5c:96:27:2c:2c:4e:b6 john@sharewiz.net The key's randomart image is: +--[ RSA 2048]----+ | | | | | . . .| | + o =.+| | S+ o * B+| | .E o = B| | . + o.| | .o . | | ... | +-----------------+ $ openssl req -x509 -days 365 -new -key test-user -out test-user-cert.pem You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: State or Province Name (full name) [Some-State]: Locality Name (eg, city) []: Organization Name (eg, company) [Internet Widgits Pty Ltd]: Organizational Unit Name (eg, section) []: Common Name (e.g. server FQDN or YOUR name) []: Email Address []: $ ls -l test-user* -rw------- 1 john john 1675 Mar 18 21:52 test-user -rw-r--r-- 1 john john 1229 Mar 18 21:53 test-user-cert.pem -rw-r--r-- 1 john john 392 Mar 18 21:52 test-user.pub
From these, both test-user and test-user-cert.pem files are critical to preserve, where as test-user.pub can always be recreated from test-user as needed.