How to get the key ID from a .pem openssl file?

Bare keys do not have "key IDs". They're just series of numbers.

If the key belongs to an X.509 certificate, then the certificate's fingerprint (a SHA-1 hash of the DER-encoded cert) will be used for identification: openssl x509 -outform der | openssl sha1, or openssl x509 -noout -fingerprint.

Otherwise (if it's just a bare public/private keypair), the SHA-1 hash of the public key is used sometimes (again, DER encoding), but I don't know of any standard for it. You can extract the public key with openssl rsar -pubout -outform der, again piping to openssl sha1 if that's what your program requires.


The "key pair IDs" used by CloudFront are serial numbers of the database entry with that key. The same key, uploaded twice, will have different IDs; I just tested it.


Amazon now provides tools for performing such actions on any server (not just servers running in EC2). On any Ubuntu computer you can install the tools with apt-get:

$ sudo apt-get install ec2-ami-tools ec2-api-tools

Here is the syntax to get the fingerprint for My.pem:

$ ec2-fingerprint-key My.pem
62:44:56:f7:91:f2:8b:9b:44:7c:17:0e:39:c7:34:68:f5:b2:3c:57

As ec2-fingerprint-key is a bit long to type, there is an equivalent shortcut ec2fp:

$ ec2fp My.pem
62:44:56:f7:91:f2:8b:9b:44:7c:17:0e:39:c7:34:68:f5:b2:3c:57