How to get a .pem file from ssh key pair?

260,160

Solution 1

According to this, this command can be used:

ssh-keygen -f id_rsa -e -m pem

This will convert your public key to an OpenSSL compatible format. Your private key is already in PEM format and can be used as is (as Michael Hampton stated).

Double check if AWS isn't asking for a (X.509) certificate in PEM format, which would be a different thing than your SSH keys.

Solution 2

Using ssh-keygen to export the key in the .pem format worked for me.

ssh-keygen -f id_rsa.pub -m 'PEM' -e > id_rsa.pub.pem

Then simply copy the .pem key as necessary.

Options as follows: (See man ssh-keygen)

  • -f id_rsa.pub: input file
  • -m 'PEM': output format PEM
  • -e: output to STDOUT

Solution 3

Initially, when using ssh-keygen, I could generate a public key that was compatible with AWS EC2, but had issues with creating private keys that were compatible. The following creates both public and private keys pairs that are compatible with AWS EC2.

ssh-keygen -P "" -t rsa -b 4096 -m pem -f my-key-pair

Here's info on each parameter:

  • -P: is for passphrase. Intentionally set to empty.
  • -t: Specifies the type of key to create.  AWS EC2 Key Pair requires RSA. It's my experience that this pertains to the public key that is created.
  • -b: Specifies the number of bits in the key. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
  • -m: Specifies a key format for key generation. Setting a format of “PEM” when generating a supported private key type will cause the key to be stored in the legacy PEM private key format.  AWS EC2 Key Pair need the legacy format
  • -f: Specifies the output filename of the key file

Resources:

For more information on ssh-keygen, see: https://man.openbsd.org/ssh-keygen.1

AWS - EC2 Key Pairs - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

Solution 4

id_rsa is the file that you have to use to decrypt the Windows EC2 instance password, but just make sure that the file you copy paste is not phrase protected.

I solved the problem getting a temporarily unprotected the id_rsa file with something like:

$ openssl rsa -in ~/.ssh/id_rsa -out tmp_file.pem
Share:
260,160

Related videos on Youtube

Admin
Author by

Admin

Updated on September 18, 2022

Comments

  • Admin
    Admin over 1 year

    I created a key pair using ssh-keygen and get the two clasic id_rsa and id_rsa.pub.

    I imported the public key into my AWS EC2 account.

    Now I created a windows instance and to decrypt that instance password, AWS console is asking me for a .pem file. How I can get that .pem file from my two id_rsa and id_rsa.pub files?

    • Michael Hampton
      Michael Hampton almost 9 years
      The private key is already in PEM format and can be used as-is.
    • austinian
      austinian almost 9 years
      @MichaelHampton, this will depend on the version of ssh-keygen and the command used to generate the key pair. Some versions use RFC4716 by default, instead of PEM.
  • Michael Bailey
    Michael Bailey almost 9 years
    But they don't need the public key do they? They need the private key for decrypting their password from the AWS Console
  • Michael Bailey
    Michael Bailey almost 9 years
    Not sure how familiarized you are with AWS, but when you spin up a windows instance (basically server) AWS keeps the password from you until you give them your private key. Then they give you the server password. That way Windows and Linux servers on AWS both depend on private keys.
  • chrish
    chrish over 8 years
    This doesn't work on OS X (ssh -v ==> OpenSSH_6.2p2)
  • morgwai
    morgwai almost 6 years
    contrary to the documentation, it will output PUBLIC key in PEM format, not the private one. currently ssh-keygen does not support converting private keys.
  • nclark
    nclark over 4 years
    Mike has chosen not to include documentation for the '-b' option. Perhaps obvious to some, that means "4096-bit encryption please". As stated in the linked AWS doc, "The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096."
  • Mike Barlow - BarDev
    Mike Barlow - BarDev over 4 years
    @nclard, Not sure why I left that out -b parameter. Just added it.
  • Bill McGonigle
    Bill McGonigle over 4 years
    @morgwai : this bit me too. It looks like the documentation is fixed in git, at least: anongit.mindrot.org/openssh.git/tree/ssh-keygen.1
  • Fumisky Wells
    Fumisky Wells about 4 years
    For me, 'pkcs8' key_format works to verify signature as follows: "ssh-keygen ... -m pkcs8 ..."
  • cellepo
    cellepo almost 4 years
    Should the argument instead be id_rsa.pub?
  • fuero
    fuero almost 4 years
    @cellepo No, it shouldn't.
  • cellepo
    cellepo almost 4 years
    Sorry I must be missing something. Why does the description say "convert your public", but the code snippet uses the private key? Is id_rsa not the private key? thanks
  • fuero
    fuero almost 4 years
    id_rsa contains the keypair, not just the private key.
  • Admin
    Admin about 2 years
    Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
  • Admin
    Admin almost 2 years
    this generates a new id_rsa... and it removed my old one, what i need is to convert the old one into a .pem file for navicat to use
  • Admin
    Admin almost 2 years
    > this generates a new id_rsa... It most certainly does not.