How to get a .pem file from ssh key pair?
Solution 1
According to this, this command can be used:
ssh-keygen -f id_rsa -e -m pem
This will convert your public key to an OpenSSL compatible format. Your private key is already in PEM format and can be used as is (as Michael Hampton stated).
Double check if AWS isn't asking for a (X.509) certificate in PEM format, which would be a different thing than your SSH keys.
Solution 2
Using ssh-keygen
to export the key in the .pem format worked for me.
ssh-keygen -f id_rsa.pub -m 'PEM' -e > id_rsa.pub.pem
Then simply copy the .pem
key as necessary.
Options as follows: (See man ssh-keygen
)
-
-f id_rsa.pub
: input file -
-m 'PEM'
: output format PEM -
-e
: output to STDOUT
Solution 3
Initially, when using ssh-keygen
, I could generate a public key that was compatible with AWS EC2, but had issues with creating private keys that were compatible. The following creates both public and private keys pairs that are compatible with AWS EC2.
ssh-keygen -P "" -t rsa -b 4096 -m pem -f my-key-pair
Here's info on each parameter:
- -P: is for passphrase. Intentionally set to empty.
- -t: Specifies the type of key to create. AWS EC2 Key Pair requires RSA. It's my experience that this pertains to the public key that is created.
- -b: Specifies the number of bits in the key. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
- -m: Specifies a key format for key generation. Setting a format of “PEM” when generating a supported private key type will cause the key to be stored in the legacy PEM private key format. AWS EC2 Key Pair need the legacy format
- -f: Specifies the output filename of the key file
Resources:
For more information on ssh-keygen, see: https://man.openbsd.org/ssh-keygen.1
AWS - EC2 Key Pairs - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html
Solution 4
id_rsa
is the file that you have to use to decrypt the Windows EC2 instance password, but just make sure that the file you copy paste is not phrase protected.
I solved the problem getting a temporarily unprotected the id_rsa
file with something like:
$ openssl rsa -in ~/.ssh/id_rsa -out tmp_file.pem
Related videos on Youtube
Admin
Updated on September 18, 2022Comments
-
Admin over 1 year
I created a key pair using ssh-keygen and get the two clasic id_rsa and id_rsa.pub.
I imported the public key into my AWS EC2 account.
Now I created a windows instance and to decrypt that instance password, AWS console is asking me for a .pem file. How I can get that .pem file from my two id_rsa and id_rsa.pub files?
-
Michael Hampton almost 9 yearsThe private key is already in PEM format and can be used as-is.
-
austinian almost 9 years@MichaelHampton, this will depend on the version of ssh-keygen and the command used to generate the key pair. Some versions use RFC4716 by default, instead of PEM.
-
-
Michael Bailey almost 9 yearsBut they don't need the public key do they? They need the private key for decrypting their password from the AWS Console
-
Michael Bailey almost 9 yearsNot sure how familiarized you are with AWS, but when you spin up a windows instance (basically server) AWS keeps the password from you until you give them your private key. Then they give you the server password. That way Windows and Linux servers on AWS both depend on private keys.
-
chrish over 8 yearsThis doesn't work on OS X (ssh -v ==> OpenSSH_6.2p2)
-
morgwai almost 6 yearscontrary to the documentation, it will output PUBLIC key in PEM format, not the private one. currently ssh-keygen does not support converting private keys.
-
nclark over 4 yearsMike has chosen not to include documentation for the '-b' option. Perhaps obvious to some, that means "4096-bit encryption please". As stated in the linked AWS doc, "The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096."
-
Mike Barlow - BarDev over 4 years@nclard, Not sure why I left that out -b parameter. Just added it.
-
Bill McGonigle over 4 years@morgwai : this bit me too. It looks like the documentation is fixed in git, at least: anongit.mindrot.org/openssh.git/tree/ssh-keygen.1
-
Fumisky Wells about 4 yearsFor me, 'pkcs8' key_format works to verify signature as follows: "ssh-keygen ... -m pkcs8 ..."
-
cellepo almost 4 yearsShould the argument instead be
id_rsa.pub
? -
fuero almost 4 years@cellepo No, it shouldn't.
-
cellepo almost 4 yearsSorry I must be missing something. Why does the description say "convert your public", but the code snippet uses the private key? Is id_rsa not the private key? thanks
-
fuero almost 4 years
id_rsa
contains the keypair, not just the private key. -
Admin about 2 yearsYour answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.
-
Admin almost 2 yearsthis generates a new id_rsa... and it removed my old one, what i need is to convert the old one into a .pem file for navicat to use
-
Admin almost 2 years> this generates a new id_rsa... It most certainly does not.