How to get a .pem file from ssh key pair?

Question

I created a key pair using ssh-keygen and get the two clasic id_rsa and id_rsa.pub.

I imported the public key into my AWS EC2 account.

Now I created a windows instance and to decrypt that instance password, AWS console is asking me for a .pem file. How I can get that .pem file from my two id_rsa and id_rsa.pub files?

The private key is already in PEM format and can be used as-is. — Michael Hampton, Jul 16 '15 at 18:59
@MichaelHampton, this will depend on the version of ssh-keygen and the command used to generate the key pair. Some versions use RFC4716 by default, instead of PEM. — austinian, Jul 16 '15 at 20:16

fuero · Accepted Answer · 2019-04-19T10:52:50.470

92

According to this, this command can be used:

ssh-keygen -f id_rsa -e -m pem

This will convert your public key to an OpenSSL compatible format. Your private key is already in PEM format and can be used as is (as Michael Hampton stated).

Double check if AWS isn't asking for a (X.509) certificate in PEM format, which would be a different thing than your SSH keys.

edited Apr 19 '19 at 10:52

answered Jul 16 '15 at 18:38

fuero

9,413
1
35
40

1

But they don't need the public key do they? They need the private key for decrypting their password from the AWS Console – Michael Bailey Jul 16 '15 at 18:40
I have no idea what OP needs this for. – fuero Jul 16 '15 at 18:41
Not sure how familiarized you are with AWS, but when you spin up a windows instance (basically server) AWS keeps the password from you until you give them your private key. Then they give you the server password. That way Windows and Linux servers on AWS both depend on private keys. – Michael Bailey Jul 16 '15 at 18:43
1

There's also good information on this here: http://unix.stackexchange.com/questions/26924/how-do-i-convert-a-ssh-keygen-public-key-into-a-format-that-openssl-pem-read-bio – austinian Jul 16 '15 at 20:17
1

This doesn't work on OS X (ssh -v ==> OpenSSH_6.2p2) – chrish Mar 03 '16 at 20:50
5

contrary to the documentation, it will output PUBLIC key in PEM format, not the private one. currently ssh-keygen does not support converting private keys. – morgwai Aug 10 '18 at 08:44
1

@morgwai : this bit me too. It looks like the documentation is fixed in git, at least: https://anongit.mindrot.org/openssh.git/tree/ssh-keygen.1 – Bill McGonigle Mar 16 '20 at 15:53
Should the argument instead be `id_rsa.pub`? – cellepo Jul 27 '20 at 22:16
@cellepo No, it shouldn't. – fuero Jul 28 '20 at 06:01
Sorry I must be missing something. Why does the description say "convert your public", but the code snippet uses the private key? Is id_rsa not the private key? thanks – cellepo Jul 30 '20 at 01:53
3

`id_rsa` contains the key**pair**, not just the private key. – fuero Jul 30 '20 at 07:41
this generates a new id_rsa... and it removed my old one, what i need is to convert the old one into a .pem file for navicat to use – Aero Windwalker Jul 04 '22 at 10:13
> this generates a new id_rsa... It most certainly does not. – fuero Jul 04 '22 at 14:43

score 50 · Answer 2 · edited Jan 22 '22 at 22:04

50

Using ssh-keygen to export the key in the .pem format worked for me.

ssh-keygen -f id_rsa.pub -m 'PEM' -e > id_rsa.pub.pem

Then simply copy the .pem key as necessary.

Options as follows: (See man ssh-keygen)

-f id_rsa.pub: input file
-m 'PEM': output format PEM
-e: output to STDOUT

edited Jan 22 '22 at 22:04

StackzOfZtuff

1,754
12
21

answered Jul 16 '15 at 22:43

Matt

2,711
1
13
20

For me, 'pkcs8' key_format works to verify signature as follows: "ssh-keygen ... -m pkcs8 ..." – Fumisky Wells Mar 30 '20 at 23:44

Mike Barlow - BarDev · Answer 3 · 2019-10-24T04:03:00.840

Initially, when using ssh-keygen, I could generate a public key that was compatible with AWS EC2, but had issues with creating private keys that were compatible. The following creates both public and private keys pairs that are compatible with AWS EC2.

ssh-keygen -P "" -t rsa -b 4096 -m pem -f my-key-pair

Here's info on each parameter:

-P: is for passphrase. Intentionally set to empty.
-t: Specifies the type of key to create. AWS EC2 Key Pair requires RSA. It's my experience that this pertains to the public key that is created.
-b: Specifies the number of bits in the key. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
-m: Specifies a key format for key generation. Setting a format of “PEM” when generating a supported private key type will cause the key to be stored in the legacy PEM private key format. AWS EC2 Key Pair need the legacy format
-f: Specifies the output filename of the key file

Resources:

For more information on ssh-keygen, see: https://man.openbsd.org/ssh-keygen.1

AWS - EC2 Key Pairs - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

Mike has chosen not to include documentation for the '-b' option. Perhaps obvious to some, that means "4096-bit encryption please". As stated in the linked AWS doc, "The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096." — nclark, Oct 23 '19 at 19:51
@nclard, Not sure why I left that out -b parameter. Just added it. — Mike Barlow - BarDev, Oct 24 '19 at 04:03

score 8 · Answer 4 · edited Oct 19 '17 at 18:58

8

id_rsa is the file that you have to use to decrypt the Windows EC2 instance password, but just make sure that the file you copy paste is not phrase protected.

I solved the problem getting a temporarily unprotected the id_rsa file with something like:

$ openssl rsa -in ~/.ssh/id_rsa -out tmp_file.pem

edited Oct 19 '17 at 18:58

slm

7,355
16
54
72

answered Jul 16 '15 at 22:04

Dita Aji Pratama · Answer 5 · 2022-05-16T06:57:41.823

0

Add your public key on your server to authorized_keys

cat .ssh/id_rsa.pub >> .ssh/authorized_keys

or you can add it manually using your text editor in your server.

Copy your private key in your server

cp .ssh/id_rsa /home/your_user/your_key.pem

Now in your client PC, download a key from server

scp your_user@yourhostserver.com:/home/your_user/your_key.pem /home/your_local_user/Downloads/

edited May 16 '22 at 06:57

answered May 16 '22 at 06:51

Dita Aji Pratama

111
4

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community May 20 '22 at 09:35

score 0 · Answer 6 · answered Jul 16 '15 at 19:44

When you launch an EC2 instance, you assign to it a key pair (or none). It cannot be changed afterwards.

Only using that .pem file from that key pair will you be able to decrypt the Windows password.

The .pem file would have been downloaded when the key pair was created. You cannot get it again. If you have lost it, you're out of luck.

You cannot use a .pem file that you generated yourself unless you imported that key into AWS before the instance was launched and assigned it to the instance.

Simply put, if you don't have the original .pem file, you cannot get the password.

Edit: after re-reading the question, I realize the OP had imported his key into AWS.

How to get a .pem file from ssh key pair?

6 Answers6