Differences

This shows you the differences between two versions of the page.

--- certificates:convert_keys_between_openssl_and_openssh [2016/12/06 11:52] – created peter
+++ certificates:convert_keys_between_openssl_and_openssh [2019/11/26 21:47] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Certificates - Convert keys between openssl and openssh ======
-===== OpenSSL =====
-The following command
-<code bash>
-openssl req -x509  -days 365 -newkey rsa:2048 -keyout private.pem -out public.pem -nodes
-</code>
-generates a self-signed certificate, and produces private.pem and public.pem.
-To extract an OpenSSH compatible public key from it, you can just run:
-<code bash>
-ssh-keygen -f private.pem -y > private.pub
-</code>
-<WRAP todo>
-**NOTE**: Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS8 format for keys.
-So, to extract the public key from the certificate issue
-<code bash>
-openssl x509 -in certificate.pem -noout -pubkey > pubkey.pem
-</code>
-You need to use following command to convert it to authorized_keys entry
-<code bash>
-ssh-keygen -i -m PKCS8 -f pubkey.pem
-</code>
-  * **-out** option of the req command of OpenSSL produces certificate request rather than public key.
-To extract public key in the PKCS#8 format, understandable by import function of ssh-keygen use following command.
-<code bash>
-openssl req -in public.pem -noout -pubkey
-</code>
-</WRAP>
-===== OpenSSH =====
-The command
-<code bash>
-ssh-keygen -t rsa -f rsa
-</code>
-produces rsa and rsa.pub
-**ssh-keygen** can be used to convert public keys from SSH formats in to PEM formats suitable for OpenSSL.  Private keys are normally already stored in a PEM format suitable for both.
-The following command will convert the .pub file into the pem format for you.
-<code bash>
-ssh-keygen -f rsa.pub -e -m pem
-</code>
-<WRAP todo>
-Found that -m pem did not give an openssl compatible key but -m PKCS8 did.
-Newer versions of OpenSSL (>= 1.0.1 at least) use PKCS#8 format for keys.
-</WRAP>
-The ssh-keygen also supports conversion into various other formats, for more information, see the [[http://www.openbsd.org/cgi-bin/man.cgi?query=ssh-keygen&sektion=1|man page]].
-===== Convert from OpenSSH to OpenSSL =====
-Is it possible to convert from the format of rsa to private.pem and vice-a-versa?
-<code>
-ssh-keygen -f test-user
-Generating public/private rsa key pair.
-Enter passphrase (empty for no passphrase):
-Enter same passphrase again:
-Your identification has been saved in test-user.
-Your public key has been saved in test-user.pub.
-The key fingerprint is:
-ff:36:f1:74:c7:0d:4e:da:79:5c:96:27:2c:2c:4e:b6 john@sharewiz.net
-The key's randomart image is:
-+--[ RSA 2048]----+
-|                 |
-|                 |
-|           . .  .|
-|          + o =.+|
-|        S+ o * B+|
-|         .E o = B|
-|          .  + o.|
-|           .o .  |
-|           ...   |
-+-----------------+
-$ openssl req -x509 -days 365 -new -key test-user -out test-user-cert.pem
-You are about to be asked to enter information that will be incorporated
-into your certificate request.
-What you are about to enter is what is called a Distinguished Name or a DN.
-There are quite a few fields but you can leave some blank
-For some fields there will be a default value,
-If you enter '.', the field will be left blank.
------
-Country Name (2 letter code) [AU]:
-State or Province Name (full name) [Some-State]:
-Locality Name (eg, city) []:
-Organization Name (eg, company) [Internet Widgits Pty Ltd]:
-Organizational Unit Name (eg, section) []:
-Common Name (e.g. server FQDN or YOUR name) []:
-Email Address []:
-$ ls -l test-user*
--rw------- 1 john john 1675 Mar 18 21:52 test-user
--rw-r--r-- 1 john john 1229 Mar 18 21:53 test-user-cert.pem
--rw-r--r-- 1 john john  392 Mar 18 21:52 test-user.pub
-</code>
-From these, both **test-user** and **test-user-cert.pem** files are critical to preserve, where as **test-user.pub** can always be recreated from **test-user** as needed.