How to get a .pem file from ssh key pair?

amazon-ec2 public-key private-key ssh-keygen

260,160

Solution 1

According to this, this command can be used:

ssh-keygen -f id_rsa -e -m pem

This will convert your public key to an OpenSSL compatible format. Your private key is already in PEM format and can be used as is (as Michael Hampton stated).

Double check if AWS isn't asking for a (X.509) certificate in PEM format, which would be a different thing than your SSH keys.

Solution 2

Using ssh-keygen to export the key in the .pem format worked for me.

ssh-keygen -f id_rsa.pub -m 'PEM' -e > id_rsa.pub.pem

Then simply copy the .pem key as necessary.

Options as follows: (See man ssh-keygen)

-f id_rsa.pub: input file
-m 'PEM': output format PEM
-e: output to STDOUT

Solution 3

Initially, when using ssh-keygen, I could generate a public key that was compatible with AWS EC2, but had issues with creating private keys that were compatible. The following creates both public and private keys pairs that are compatible with AWS EC2.

ssh-keygen -P "" -t rsa -b 4096 -m pem -f my-key-pair

Here's info on each parameter:

-P: is for passphrase. Intentionally set to empty.
-t: Specifies the type of key to create. AWS EC2 Key Pair requires RSA. It's my experience that this pertains to the public key that is created.
-b: Specifies the number of bits in the key. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
-m: Specifies a key format for key generation. Setting a format of “PEM” when generating a supported private key type will cause the key to be stored in the legacy PEM private key format. AWS EC2 Key Pair need the legacy format
-f: Specifies the output filename of the key file

Resources:

For more information on ssh-keygen, see: https://man.openbsd.org/ssh-keygen.1

AWS - EC2 Key Pairs - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

Solution 4

id_rsa is the file that you have to use to decrypt the Windows EC2 instance password, but just make sure that the file you copy paste is not phrase protected.

I solved the problem getting a temporarily unprotected the id_rsa file with something like:

$ openssl rsa -in ~/.ssh/id_rsa -out tmp_file.pem

View more solutions

260,160

Admin

Updated on September 18, 2022

Comments

Admin over 1 year

I created a key pair using ssh-keygen and get the two clasic id_rsa and id_rsa.pub.

I imported the public key into my AWS EC2 account.

Now I created a windows instance and to decrypt that instance password, AWS console is asking me for a .pem file. How I can get that .pem file from my two id_rsa and id_rsa.pub files?
- Michael Hampton almost 9 years
  
  The private key is already in PEM format and can be used as-is.
- austinian almost 9 years
  
  @MichaelHampton, this will depend on the version of ssh-keygen and the command used to generate the key pair. Some versions use RFC4716 by default, instead of PEM.
Michael Bailey almost 9 years

But they don't need the public key do they? They need the private key for decrypting their password from the AWS Console
Michael Bailey almost 9 years

Not sure how familiarized you are with AWS, but when you spin up a windows instance (basically server) AWS keeps the password from you until you give them your private key. Then they give you the server password. That way Windows and Linux servers on AWS both depend on private keys.
chrish over 8 years

This doesn't work on OS X (ssh -v ==> OpenSSH_6.2p2)
morgwai almost 6 years

contrary to the documentation, it will output PUBLIC key in PEM format, not the private one. currently ssh-keygen does not support converting private keys.
nclark over 4 years

Mike has chosen not to include documentation for the '-b' option. Perhaps obvious to some, that means "4096-bit encryption please". As stated in the linked AWS doc, "The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096."
Mike Barlow - BarDev over 4 years

@nclard, Not sure why I left that out -b parameter. Just added it.
Bill McGonigle over 4 years

@morgwai : this bit me too. It looks like the documentation is fixed in git, at least: anongit.mindrot.org/openssh.git/tree/ssh-keygen.1
Fumisky Wells about 4 years

For me, 'pkcs8' key_format works to verify signature as follows: "ssh-keygen ... -m pkcs8 ..."
cellepo almost 4 years

Should the argument instead be id_rsa.pub?
fuero almost 4 years

@cellepo No, it shouldn't.
cellepo almost 4 years

Sorry I must be missing something. Why does the description say "convert your public", but the code snippet uses the private key? Is id_rsa not the private key? thanks
fuero almost 4 years

id_rsa contains the keypair, not just the private key.
Admin about 2 years

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
Admin almost 2 years

this generates a new id_rsa... and it removed my old one, what i need is to convert the old one into a .pem file for navicat to use
Admin almost 2 years

> this generates a new id_rsa... It most certainly does not.