Converting keys between openssl and openssh
You are missing a bit here.
ssh-keygen
can be used to convert public keys from SSH formats in to PEM formats suitable for OpenSSL. Private keys are normally already stored in a PEM format suitable for both.
However, the OpenSSL command you show generates a self-signed certificate. This certificate is not something OpenSSH traditionally uses for anything - and it definitely is not the same thing as a public key only.
OpenSSH does have support for certificates as well, but it is likely that you are not using this support. Also, these certificates are not X.509, so they are incompatible with OpenSSL.
The certificate contains information that is not present anywhere else and each certificate is unique and can not be recreated at will. This means that you need to store the X.509 certificate, in addition to the private key, if you wish use the same key for both OpenSSL and OpenSSH.
If you just want to share the private key, the OpenSSL key generated by your example command is stored in private.pem
, and it should already be in PEM format compatible with (recent) OpenSSH. To extract an OpenSSH compatible public key from it, you can just run:
ssh-keygen -f private.pem -y > private.pub
If you want to start from OpenSSH and work your way over to the OpenSSL side, with a self-signed certificate (for whatever reason), here's how:
$ ssh-keygen -f test-user
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in test-user.
Your public key has been saved in test-user.pub.
The key fingerprint is:
ff:36:f1:74:c7:0d:4e:da:79:5c:96:27:2c:2c:4e:b6 naked@tink
The key's randomart image is:
+--[ RSA 2048]----+
| |
| |
| . . .|
| + o =.+|
| S+ o * B+|
| .E o = B|
| . + o.|
| .o . |
| ... |
+-----------------+
$ openssl req -x509 -days 365 -new -key test-user -out test-user-cert.pem
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:
State or Province Name (full name) [Some-State]:
Locality Name (eg, city) []:
Organization Name (eg, company) [Internet Widgits Pty Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (e.g. server FQDN or YOUR name) []:
Email Address []:
$ ls -l test-user*
-rw------- 1 naked naked 1675 Mar 18 21:52 test-user
-rw-r--r-- 1 naked naked 1229 Mar 18 21:53 test-user-cert.pem
-rw-r--r-- 1 naked naked 392 Mar 18 21:52 test-user.pub
From these, both test-user
and test-user-cert.pem
files are critical to preserve, where as test-user.pub
can always be recreated from test-user as needed.
The ssh-keygen
tool from openssh can do this for you.
The following command will convert the .pub
file into the pem
format for you.
ssh-keygen -f rsa.pub -e -m pem
The ssh-keygen
also supports conversion into various other formats, for more information, see the man page.
Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS#8 format for keys.
So, if you extract publick key from certificate using command
openssl x509 -in certificate.pem -noout -pubkey >pubkey.pem
You need to use following command to convert it to authorized_keys entry
ssh-keygen -i -m PKCS8 -f pubkey.pem
-out option of the req command of OpenSSL produces certificate request rather than public key.
To extract public key in the PKCS#8 format, understandable by import function of ssh-keygen use following command.
openssl req -in public.pem -noout -pubkey