Openssh Private Key to RSA Private Key
Asked Answered
A

6

154

(I am using MAC)

My id_rsa starts with

-----BEGIN OPENSSH PRIVATE KEY-----

but I expect it to starts with

-----BEGIN RSA PRIVATE KEY-----

I have send my id_rsa.pub to server administrator to get the access to server, so I don't want to generate a new key.

  1. Is there any way that I can transfer my id_rsa which is a openssh private key to a RSA private key? (command please.)

  2. If I can transfer, do I also need to transfer id_rsa.pub? (command please.) It seems id_rsa.pub doesn't have a header like id_rsa, so I am not sure if I should also transfer this.

Amoretto answered 5/3, 2019 at 2:40 Comment(0)
S
248

You have an OpenSSH format key and want a PEM format key. It is not intuitive to me, but the suggested way to convert is by changing the password for the key and writing it in a different format at the same time.

The command looks like this:

ssh-keygen -p -N "" -m pem -f /path/to/key

It will change the file in place, so make a backup of your current key just in case. -N "" will set the passphrase as none. I haven't tested this with a passphrase.

The public key should be fine as is.

For full explanation of the above command, see the -m option here: https://man.openbsd.org/ssh-keygen#m

Soutor answered 23/4, 2019 at 19:9 Comment(12)
This does not change the content of he file for meWallis
@Whimusical, Please say what it does instead of changing the file, if anything. It would also help to know what kind of key you are working with, what you expect, and what OS you are using. Generally, more details.Soutor
I discovered my problem occurred only because the key was generated elliptically. Regular ones are correctly convertedWallis
How can we do the reverse conversion i.e. from PEM to OPENSSH format? With a CLI because I want to be able to employ it in Terraform.Collegiate
@BahadırİsmailAydın according to the man ssh-keygen -m key specify the input format among RFC4716 (this is the default if -m isn't specified), PKCS8 and PEM, so you can just use ssh-keygen -p -N "" -f path/to/keyfileParvati
@TadM I got this message. "Failed to load key: invalid format". How can I fix this?Och
This works when I have problem connecting to sftp server in Netbeans IDE. Copy the original private key and run the command above solve my problem.Lightish
This works great from linux, but on Windows Cygwin it will just result in the same file as in the first comment.Broadleaved
When attempting to do this, I got the 'permissions are too open' error. This (https://mcmap.net/q/22730/-ssh-quot-permissions-are-too-open-quot) was the fix for that. I then got the 'Key has comment Some Comment' error that I fixed using ssh-keygen -c -C "" -f private.key. After that, using ssh-keygen -p -N "" -m pem -f private.key worked as expected. Hopefully this helps someone else.Comparative
thank you very much for that -m PEM option. To anyone who wants to generate a new key directly in RSA: ssh-keygen -t rsa -m PEMInterpretation
This is a great answer. I couldn't figure out why Jenkins wasn't connecting to my SVN SSH server. I enabled detailed logging on Jenkins, saw a warning message about needing PEM format, and then found this answer and "converted" my key and then it worked.Gablet
The conversion options provided in ssh-keygen generally involve converting same type of key for example RSA key to another type of RSA key. For instance, one might convert an OPENSSH RSA key to a PKCS8 RSA key. In essence, such conversions simply involve repackaging the RSA key in different formats. It's important to note, however, that RSA key cannot be converted to EdDSA keys or vice versa since they are fundamentally different types of keys.Styrax
C
27

Here's what worked for me for an in-place conversion of a key with a passphrase:

ssh-keygen -p -P "old passphrase" -N "new passphrase" -m pem -f path/to/key
Costmary answered 24/8, 2020 at 20:3 Comment(6)
ssh-keygen -m pem -f /path/to/key for those of us not using passphrasesCeilometer
Can it be done without replacing the original OPENSSH key? I'm using it for remote connection but I need an RSA key for MySQL Workbench. I'm just guessing but I could use both, OPENSSH for SSH terminal connection and RSA for MySQL Workbench/Interrupted
@Ceilometer , That will generate a new key overwriting the existing /path/to/key file.Candis
@TejasSarade I think you'd just want to add -e > new-key-file.pem to the end of thatCeilometer
@Ceilometer -e only exports/prints public key. That is useful for converting public key to other formats than SSH. But it will not export/save the private key.Candis
It created a .pem file that looks correct on my (Windows with Git Bash) computerCeilometer
S
8
  1. Install and open puttygen
  2. Click on "Load an existing private key file"
  3. Click on menu item "Conversions" -> "Export OpenSSH key"
  4. Save file
Serotonin answered 16/5, 2022 at 19:8 Comment(0)
E
3

You can achieve this easily if you can get your hands on a linux system. I am using ubuntu 18.04 and did the following:

  1. update packages: sudo apt update
  2. install putty: sudo apt install putty
  3. install puttygen: sudo apt install putty-tools
  4. convert the private key to the intermediate format SSHv2: puttygen yourkey -O private-sshcom -o newkey
  5. convert it back to RSA/PEM: ssh-keygen -i -f newkey > newkey_in_right_format

And you are good to go

Ehr answered 16/3, 2021 at 11:44 Comment(0)
I
0

Some of the answers above didn't work and I actually ran into yet another problem when trying to create a RSA private key from the OpenSSH private key using ssh-keygen command: unsupported cipher 3des-cbc. A helpful gist for that problem can be found here: https://gist.github.com/twelve17/0449491d86158960fdb630160799ff23.

The following command worked for me to create a valid and working RSA private key from a (Putty on Windows generated) OpenSSH key using:

$ sudo apt install putty-tools
$ puttygen existing_key.ppk -o id_rsa -O private-openssh
# enter passphrase if needed
Interconnect answered 22/12, 2022 at 14:0 Comment(0)
S
0

What has worked just fine for me in converting a private key to/from RSA to/from OpenSSH is simply changing the header and footer in vi from one format to another. E.g.: change the top from

-----BEGIN RSA PRIVATE KEY-----

to

-----BEGIN OPENSSH PRIVATE KEY-----

and the footer from

-----END RSA PRIVATE KEY-----

to

-----END OPENSSH PRIVATE KEY-----

Sarracenia answered 14/2 at 19:20 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.