19

The ssh-keygen command generates .pub files which it describes as "public key files", but they are a totally different format to most "public key files" I've usually seen, which are in PEM format. The ssh-keygen-style files look like this:

ssh-rsa AAAAB3NzaC1... user@host

... whereas the PEM files look like this:

-----BEGIN CERTIFICATE-----
MIIGZjCCBU6gAwIBAgIDCIrNMA0GCSqGSIb3DQEBBQUAMIGMMQsw...
-----END CERTIFICATE-----

Are these two formats interchangeable, or are they performing a fundamentally different purpose? I came across this problem because I wanted to get the RSA2 key fingerprint of my PEM-encoded public key file, but the method usually suggested to do it (ssh-keygen -l) says that my PEM-encoded file "is not a public key file".

By the way, I'm aware of this answer, but it doesn't cover the .pub files generated by ssh-keygen.

Community
  • 1
Jez
  • 1,333
  • 2
  • 11
  • 23
  • 1
    Well, an SSH public key is not the same as a certificate in PEM format. Have you looked at this? http://serverfault.com/questions/114301/how-can-i-use-the-same-key-for-ssh-and-ssl-https – cjc Dec 28 '12 at 20:31
  • 2
    It is important to be particular here, that you are probably looking at OpenSSH, and not the less common SSH.COM, or other implementations. Standard PEM encoded public key is actually valid for some less common implementations. I know a VMS box I connect to requires a PEM file. – Zoredache Dec 28 '12 at 20:33
  • 1
    @cjc, Right, it isn't a certificate, but it isn't also isn't even the same as what you get by running `openssl rsa -in privatekey_rsa -pubout`, which actually is a public key, and not a certificate. – Zoredache Dec 28 '12 at 20:42

1 Answers1

9

OpenSSH key pairs are not PEM or any other x500 standard. New versions of OpenSSH can use X.509 PEM keys, but that's another ball of wax separate from ssh-keygen, and has to be configured explicitly. As best I know, no major implementation of SSH uses the exact same key formats as any other.

As Zoredache notes, if you're using something other than OpenSSH (deus iuvo vos), then it could be darn near anything.

Community
  • 1
Chris S
  • 77,337
  • 11
  • 120
  • 212
  • 1
    Yes, indeed, I had confused SSH and SSL! My OpenSSH daemon was in fact using a `.pub` file on my server, at `/etc/ssh/ssh_host_rsa_key.pub` and was not using any of the SSL certificate authority architecture. When I ran `ssh-keygen -l` on that file, it gave me the server's RSA2 key fingerprint. – Jez Dec 28 '12 at 20:52