140

(I am using MAC)

My id_rsa starts with

-----BEGIN OPENSSH PRIVATE KEY-----

but I expect it to starts with

-----BEGIN RSA PRIVATE KEY-----

I have send my id_rsa.pub to server administrator to get the access to server, so I don't want to generate a new key.

  1. Is there any way that I can transfer my id_rsa which is a openssh private key to a RSA private key? (command please.)

  2. If I can transfer, do I also need to transfer id_rsa.pub? (command please.) It seems id_rsa.pub doesn't have a header like id_rsa, so I am not sure if I should also transfer this.

Mark Rotteveel
  • 100,966
  • 191
  • 140
  • 197
Eleanor
  • 2,647
  • 5
  • 18
  • 30

5 Answers5

236

You have an OpenSSH format key and want a PEM format key. It is not intuitive to me, but the suggested way to convert is by changing the password for the key and writing it in a different format at the same time.

The command looks like this:

ssh-keygen -p -N "" -m pem -f /path/to/key

It will change the file in place, so make a backup of your current key just in case. -N "" will set the passphrase as none. I haven't tested this with a passphrase.

The public key should be fine as is.

For full explanation of the above command, see the -m option here: https://man.openbsd.org/ssh-keygen#m

galoget
  • 722
  • 9
  • 15
Tad M.
  • 3,158
  • 1
  • 19
  • 14
  • 10
    This does not change the content of he file for me – Whimusical May 12 '20 at 17:15
  • 1
    @Whimusical, Please say what it does instead of changing the file, if anything. It would also help to know what kind of key you are working with, what you expect, and what OS you are using. Generally, more details. – Tad M. May 14 '20 at 14:16
  • 4
    I discovered my problem occurred only because the key was generated elliptically. Regular ones are correctly converted – Whimusical May 15 '20 at 15:11
  • 1
    How can we do the reverse conversion i.e. from PEM to OPENSSH format? With a CLI because I want to be able to employ it in Terraform. – Bahadır İsmail Aydın May 21 '20 at 08:24
  • 1
    @BahadırİsmailAydın according to the `man ssh-keygen` `-m` key specify the input format among RFC4716 (this is the default if -m isn't specified), PKCS8 and PEM, so you can just use `ssh-keygen -p -N "" -f path/to/keyfile` – Dudnikof Jun 10 '20 at 07:40
  • 8
    @TadM I got this message. "Failed to load key: invalid format". How can I fix this? – LeadStar Jul 01 '20 at 13:44
  • Very simple and easy way. Thanks! – Pardhu Oct 07 '20 at 10:10
  • This works when I have problem connecting to sftp server in Netbeans IDE. Copy the original private key and run the command above solve my problem. – Oki Erie Rinaldi May 15 '21 at 18:57
  • This works great from linux, but on Windows Cygwin it will just result in the same file as in the first comment. – Bimme Aug 25 '21 at 13:08
  • When attempting to do this, I got the 'permissions are too open' error. This (https://stackoverflow.com/a/9270753/749512) was the fix for that. I then got the 'Key has comment Some Comment' error that I fixed using `ssh-keygen -c -C "" -f private.key`. After that, using `ssh-keygen -p -N "" -m pem -f private.key` worked as expected. Hopefully this helps someone else. – nkhil Sep 14 '21 at 12:26
  • thank you very much for that `-m PEM` option. To anyone who wants to generate a new key directly in RSA: `ssh-keygen -t rsa -m PEM` – Mon Dec 02 '21 at 07:12
  • This is a great answer. I couldn't figure out why Jenkins wasn't connecting to my SVN SSH server. I enabled detailed logging on Jenkins, saw a warning message about needing PEM format, and then found this answer and "converted" my key and then it worked. – user2959589 Apr 27 '22 at 00:52
  • The conversion options provided in ssh-keygen generally involve converting same type of key for example RSA key to another type of RSA key. For instance, one might convert an OPENSSH RSA key to a PKCS8 RSA key. In essence, such conversions simply involve repackaging the RSA key in different formats. It's important to note, however, that RSA key cannot be converted to EdDSA keys or vice versa since they are fundamentally different types of keys. – Proton Feb 21 '23 at 07:43
25

Here's what worked for me for an in-place conversion of a key with a passphrase:

ssh-keygen -p -P "old passphrase" -N "new passphrase" -m pem -f path/to/key
jjanczyszyn
  • 458
  • 4
  • 8
  • 12
    `ssh-keygen -m pem -f /path/to/key` for those of us not using passphrases – jspinella Sep 23 '20 at 23:03
  • Can it be done without replacing the original OPENSSH key? I'm using it for remote connection but I need an RSA key for MySQL Workbench. I'm just guessing but I could use both, OPENSSH for SSH terminal connection and RSA for MySQL Workbench/ – Luciano Jan 11 '21 at 05:26
  • 6
    @jspinella , That will generate a new key overwriting the existing /path/to/key file. – Tejas Sarade Jan 26 '21 at 20:55
  • 2
    @TejasSarade I think you'd just want to add `-e > new-key-file.pem` to the end of that – jspinella Jan 26 '21 at 21:36
  • @jspinella -e only exports/prints public key. That is useful for converting public key to other formats than SSH. But it will not export/save the private key. – Tejas Sarade Jan 26 '21 at 22:17
  • It created a .pem file that looks correct on my (Windows with Git Bash) computer – jspinella Jan 26 '21 at 22:41
7
  1. Install and open puttygen
  2. Click on "Load an existing private key file"
  3. Click on menu item "Conversions" -> "Export OpenSSH key"
  4. Save file
jersey-city-ninja
  • 1,038
  • 11
  • 23
3

You can achieve this easily if you can get your hands on a linux system. I am using ubuntu 18.04 and did the following:

  1. update packages: sudo apt update
  2. install putty: sudo apt install putty
  3. install puttygen: sudo apt install putty-tools
  4. convert the private key to the intermediate format SSHv2: puttygen yourkey -O private-sshcom -o newkey
  5. convert it back to RSA/PEM: ssh-keygen -i -f newkey > newkey_in_right_format

And you are good to go

BabaNew
  • 884
  • 1
  • 13
  • 27
0

Some of the answers above didn't work and I actually ran into yet another problem when trying to create a RSA private key from the OpenSSH private key using ssh-keygen command: unsupported cipher 3des-cbc. A helpful gist for that problem can be found here: https://gist.github.com/twelve17/0449491d86158960fdb630160799ff23.

The following command worked for me to create a valid and working RSA private key from a (Putty on Windows generated) OpenSSH key using:

$ sudo apt install putty-tools
$ puttygen existing_key.ppk -o id_rsa -O private-openssh
# enter passphrase if needed
Claudio Kuenzler
  • 772
  • 7
  • 12