Wiki

User Tools

Site Tools

Trace: convert_keys_between_openssl_and_openssh
ubuntu:certificates:convert_keys_between_openssl_and_openssh

Table of Contents

Ubuntu - Certificates - Convert keys between openssl and openssh

OpenSSL

The following command 

openssl req -x509 -days 365 -newkey rsa:2048 -keyout private.pem -out public.pem -nodes

generates a self-signed certificate, and produces private.pem and public.pem.

To extract an OpenSSH compatible public key from it, you can just run: 

ssh-keygen -f private.pem -y > private.pub

NOTE: Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS8 format for keys.

So, to extract the public key from the certificate issue 

openssl x509 -in certificate.pem -noout -pubkey > pubkey.pem

You need to use following command to convert it to authorized_keys entry 

ssh-keygen -i -m PKCS8 -f pubkey.pem
  • -out option of the req command of OpenSSL produces certificate request rather than public key.

To extract public key in the PKCS#8 format, understandable by import function of ssh-keygen use following command. 

openssl req -in public.pem -noout -pubkey

OpenSSH

The command 

ssh-keygen -t rsa -f rsa

produces rsa and rsa.pub

ssh-keygen can be used to convert public keys from SSH formats in to PEM formats suitable for OpenSSL. Private keys are normally already stored in a PEM format suitable for both.

The following command will convert the .pub file into the pem format for you. 

ssh-keygen -f rsa.pub -e -m pem

Found that -m pem did not give an openssl compatible key but -m PKCS8 did.

Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS#8 format for keys.

The ssh-keygen also supports conversion into various other formats, for more information, see the man page.

Convert from OpenSSH to OpenSSL

Is it possible to convert from the format of rsa to private.pem and vice-a-versa? 

ssh-keygen -f test-user
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in test-user.
Your public key has been saved in test-user.pub.
The key fingerprint is:
ff:36:f1:74:c7:0d:4e:da:79:5c:96:27:2c:2c:4e:b6 john@sharewiz.net
The key's randomart image is:
+--[ RSA 2048]----+
|                 |
|                 |
|           . .  .|
|          + o =.+|
|        S+ o * B+|
|         .E o = B|
|          .  + o.|
|           .o .  |
|           ...   |
+-----------------+
$ openssl req -x509 -days 365 -new -key test-user -out test-user-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:

$ ls -l test-user*
-rw------- 1 john john 1675 Mar 18 21:52 test-user
-rw-r--r-- 1 john john 1229 Mar 18 21:53 test-user-cert.pem
-rw-r--r-- 1 john john  392 Mar 18 21:52 test-user.pub

From these, both test-user and test-user-cert.pem files are critical to preserve, where as test-user.pub can always be recreated from test-user as needed.

ubuntu/certificates/convert_keys_between_openssl_and_openssh.txt · Last modified: 2020/07/15 09:30 by 127.0.0.1
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki