I have generated a an ED25519 SSH key pair using
ssh-keygen -t ed25519
The output of the id_ed25519 file is in OpenSSH format:
-----BEGIN OPENSSH PRIVATE KEY-----
...
-----END OPENSSH PRIVATE KEY-----
I would like to convert it to a PEM file format. If it were an RSA key pair, there would be no need for that as an RSA id_rsa key is already in a PEM file format but the ED25519 key pair is an OpenSSH format.
How can I convert this to a PEM file format?
Use
ssh-keygen -p -f path/to/your/key -m pem
to convert your key file to PEM, but be sure to make a backup of the file first.
Taking from https://github.com/pickware/github-action-ssh-agent
I think this would work:
openssl pkey -in ed25519.pem -out ed25519.pub -pubout
It does for a private key generated this way:
openssl genpkey -algorithm ed25519 > ed25519.pem
I haven't tested ssh-keygen's private key format explicitly but I would assume that it is using OpenSSL under the hood. If the private key's base64 starts with "MC", then I would say it probably would be compatible.
Related
I have PEM files for a MySQL instance (note the example is changed for security)
They are outputted into a JSON string which is on the console.
The PEM files have been escaped with their ASCII representations of newlines etc.
-----BEGIN CERTIFICATE-----\nMIIDfzCCAmegAwIBAgIBADANBgkqhkiG9w0BAQsFADB3MS0wKwYDVQQuEyQwMjI2\nNmQ5OC1jNmI2LTQxZGMtYTVmNi03OWJiNjMxOWMxYTQxIzAhBgNVBAMTGkdvb2ds\nZSBDbG91ZCBTUUwgU2VydmVyIENBMRQwEgYDVQQKEwtHb29nbGUsIEluYzELMAkG\nA1UEBhMCVVMwHhcNMTkwMzI5MTQwNDEwWhcNMjkwMzI2MTQwNTEwWjB3MS0wKwYD\nVQQuEyQwMjI2NmQ5OC1jNmI2LTQxZGMtYTVmNi03OWJiNjMxOWMxYTQxIzAhBgNV\nBAMTGkdvasdasdasdasdasdasdas6x15Ls6ntW9qhPy18vOsO81Dn\nQON6GohHPhvf9TRqMZO9vQ06wZ5NO8/xNfICPK0xmrGOPKwI0hHlRY+Vq5dzbGFE\nynD4EQiyua6jDPwB8I8SCy7UUWxCIzlhpAHbSCZ2/i2DdTpYfhzuxngM6kleyyOU\nWEm843h6Lug/SEntVi7Y5stnAgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAw\nDQYJKoZIhvcNAQELBQADggEBAFzMYlOvLhNUPWkhqOzOZs1cNSv1kB+dswWkGA+/\nci7j5pdjQheQoloXymP8XQUsY/183huyAGPZiMX5BJ1wgpicbKB3RPfv/jcsCKfP\nO3eEbKgXZDztOTG9Z7Tyj4a7m9Ka71HfylE4O2Pq5k3YuXfhozK60I8LirHraZnT\n/CGSIe+xVk2EbWqf44lLJUYQqMZ2MrnXCbAmVNai6Bt8cWzF7J+8itEojrt57229\n1th5TlMHOcKJhdWZiKoFA33UoosL0AcLDZU45K3TThn5/dykLR7buU9JHXc3SC6n\nPV/K/x7dz9sEoM+agSc9V7pCzcB8A/ImxFmOkqzCnIYkN5c=\n-----END
CERTIFICATE-----
In this format the file is invalid when using SSL, what is the best way to format this text using vim or another suitable unix tool.
So that the result is something like this:
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAmWAMkQeBjwD2BeanQ7ViMnQajaoQyRdHEcA6tszBiTK3xFFg
qPE+Pf5hhipgZR55xMZCq27ULOOkW3MeAO7zEAZIitKod9P5BRCgXvezdqNL0Znz
WmU+7bW860wc1S/aK83dEsD1784mh4wft6a97o9T16DyudgAisJj1s83X8haTVZR
Wyac8hxYv2aQreUV5987sN7ZX76jF1qYA/LAwskjbDa/GQ8CRXGRxmmxK5r4UsuW
PI3Yv5ioWqj/3soYY9dxpETsDNgrR1g00F8WJQIDAQABAoIBAApcRZ0KX8MUMopF
gWj+eKql0yFcqpOa4e8eCBlPDYfCCE3XnWrsGONBKr9QX4CVJW6YYeqIqwZ5PiH7
TbyMZ5jeg8n03vJxPDIOZHblzpamAzoeZy/1cKYxzbQ3WNdxdfpsDMvIPZdFL0B3
gvZzBh6SBIfN6RjRUmFcLCBBepj4SH1FORQxMxeSgYw4FdwBQKb+ZHdXdlsIHnDV
WZEn4cM0JjDu2vxOdq3BhhSh6fGvbL5DGZY+CpdYqz6+64+UHF3QSXoz0DVFS0YX
A8gc3hkXnKa1m+x5BOYtwWf+XHEM/ENtDFHDyaH5qRRP4tWrzvSf2cXlJKqPJ9vl
aVgqK4UCgYEA43/rquhBZ00QzezyvEdnYKJf63IrqlBjYix96sBTEuMsPWjeGtKZ
UsPbAoGBALeumtDCwCrTCbTdV44ThlLRXjTyY/p+gSmhI2jwSQzb8+TNH3BqoNVV
MASLFnd/5ZLXXVNMG3UFxpt75Tjw98fQFuXHLr46c8k9gC0kg+sd8Ju2NMk0HcpB
F1wig5Bn8kdxIC5fL2ss5sEhP9iEqAA5xYwQx0HZF7zre0Oe/AlDasdasdasdasdasasdassa
-----END RSA PRIVATE KEY-----
Try this:
jq -r '.json_path.to.your.private_key' your_json_file
jq is available in all major distros https://stedolan.github.io/jq/download/
Is it possible that ssh-keygen & openssl can generate two different public keys from same private key? Command ssh-keygen -y -f ./my.key gives (contents after ssh-rsa in the same line) different public key to the one generated (contents between -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY-----) with command openssl rsa -in my.key -pubout .
It's the same key but different representations. OpenSSL uses X.509 SubjectPublicKeyInfo in ASN.1, usually (including here) wrapped in PEM; OpenSSH (except 'rsa1' keys for SSHv1 which is broken and you shouldn't use) uses the XDR-like SSH wire format, in base64.
Dupe or neardupe:
Convert pem key to ssh-rsa format
RSA Public Key format
Convert RSA public key to RSA DER
Converting an OpenSSL generated RSA public key to OpenSSH format (PHP)
How to convert RSA key to ssh-rsa
How to store/retrieve RSA public/private key (buried in the middle)
and less obvious cross-stack https://security.stackexchange.com/questions/42268/how-do-i-get-the-rsa-bit-length-with-the-pubkey-and-openssl
I have a .pk file that should contain a private key. I can not find any information about this file format. Is it similar to .pkcs12?
How can I retrieve the private key from this kind of file?
According to fileinfo.com .pk is not a known certificate store file extension. Maybe you could ask from the source of the file why they named it like that.
Check if it's pkcs12 file by trying to output info about the file:
openssl pkcs12 -info -in yourfile.pk
If it's pkcs12 then you can export the private key from it with the following command:
openssl pkcs12 -in yourfile.pk -nocerts -nodes privatekey.pem
Obviously, your file is in PEM format. You can check the file in text editor for -----BEGIN texts to see what's inside. Cand you see BEGIN ENCRYPTED PRIVATE KEY or BEGIN RSA PRIVATE KEY or BEGIN PRIVATE KEY text in the file? Are there also certificate(s) in the same file, i.e. can you see BEGIN RSA PUBLIC KEY or BEGIN PUBLIC KEY once or multiple times?
You can remove a passphrase from RSA private key like this:
openssl rsa -in yourfile.pk -out privatekey.pem
I'm trying to read an encrypted PKCS8 private key file. I generated the keys like this:
openssl genrsa -out file.pem -passout pass:file -aes256 1024
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
And I try reading it in Go this way:
block, _ := pem.Decode(key)
return x509.DecryptPEMBlock(block, password)
But I get an error saying:
x509: no DEK-Info header in block
However, I can't figure out what's going wrong. Am I generating the key wrong or am I using the wrong library? I see libraries specifically for reading unencrypted PKCS8 files but none for encrypted PKCS8 files specifically.
Does anyone have any idea?
Go don't have function to decrypt PKCS8 keys in standard library.
You can this package:
https://github.com/youmark/pkcs8/blob/master/pkcs8.go#L103
A longer explaination for anyone with the same problem.
What would work
Your first command
openssl genrsa -out file.pem -passout pass:file -aes256 1024
generates a PKCS#1 private key file (file.pem):
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC,1DA219DB746F88C6DDA0D852A0FD3232
AEf09rGkgGEJ79GgO4dEVsArwv4IbbODlxy95uHhfkdGYmuk6OlTpiCUE0GT68wn
KFJfBcHr8Z3VqiHGsXxM5QlKhgnfptxfbrdKErgBD5LQcrvnqmf43KeD4lGQcpiy
...
...
mAKMCwiU/GKZz8ZwQ4qGkBlVVCOFfgwmfbqguJF2l8yzM8lYI9MZ9NEwKkvEbc
-----END RSA PRIVATE KEY-----
This private key file can be parsed and decrypted by x509.DecryptPEMBlock() alright.
What would not work and why
Your second command
openssl pkcs8 -topk8 -inform pem -in file.pem -outform pem -out filePKCS8.pem
converts that file into PKCS#8 format (filePKCS8.pem).
The subcommmand genpkey would directly produce a similar result:
openssl genpkey -algorithm RSA -aes256 \
-pkeyopt rsa_keygen_bits:1024 -out filePKCS8.pem
The generated filePKCS8.pem (either way) would look similar to this:
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIISrTBXBgkqhkiG9w0BBQ0wSjKpBgkqhkiG9w0BBQwwHAQIKL+ordsVfqsCAggB
MAwGCCqGSIb3DQIJCQAwHQYJYIZIWAUDBAEqBBCipOAAxWkC0/zkNLNYTSMgBIIS
...
...
zfdxjZ0XmPiwED2azsLMnRrWnRj2UqMtnv9zO/ucik9za
-----END ENCRYPTED PRIVATE KEY-----
x509.DecryptPEMBlock() does not support this format. And as specified in #8860, the Go's core library has no real plan to support pkcs#8 in the near future.
As mentioned by Gregory, if you want to work with it, you'll have better luck with 3rd party library like github.com/youmark/pkcs8 (Documentation).
I'm trying to get a private RSA key from a pkcs #12 file.
I've tried running the standard
openssl pkcs12 -nocerts -out priv.pem -in domain.com.pfx
However this results in a key file like the one below:
Bag Attributes
Microsoft Local Key set: <No Values>
localKeyID: 01 00 00 00
friendlyName: xxxxxxxx
Microsoft CSP Name: Microsoft RSA SChannel Cryptographic Provider
Key Attributes
X509v3 Key Usage: 10
-----BEGIN ENCRYPTED PRIVATE KEY-----
The server that I need to put it into canot handle the key file, and when I look at the examples data I see a file like below
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF
And of cause the key is present in both files.
However it seems the server will only accept RSA Private key file, and it seems to me like the output I get is a X509v3 file, any one know how to get this to an RSA Private key file?
Well - using a text editor to remove the offending lines may be easiest. Otherwise below will clean up the bag attributes:
openssl pkcs12 -in x.pfx -nocerts -nodes -passin pass:123456 | openssl rsa -out privkey.pem
and can also be used to get der/net
openssl pkcs12 -in x-fred.p12 -nocerts -nodes -passin pass: | openssl rsa -outform DER -out privkey.der
which may be in fact the format you want. It is fairly common for tools to not accept a password less private key though (and a lot of tools will silently fail if the # of chars are not at least 4 or 6). So in those cases change the tailend to:
.... | openssl rsa -passout pass:123456 -out privkey.pem
.... | openssl rsa -passout pass:123456 -out privkey.der -outform der
On windows 7 64bit, you can simply use your command.But in mac and linux, you should do the following steps:
1, create your pem file:
openssl pkcs12 -in xxx.pfx -out xxx.pem
2, create your rsa private key :
openssl pkcs12 -in xxx.pfx -passin pass:yourpassword | openssl rsa -des3 -passout pass:yourpassowrd -out xxx.key
this step will create the key file with the conten:"
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,2CF27DD60B8BB3FF"
3, open your .pem and .key file in a text editor, and replace the origin key"
-----BEGIN ENCRYPTED PRIVATE KEY-----" in the .pem file
with the rsa key in the .key file.
This works for me:
openssl pkcs12 -in "$1" \
-nocerts -nomacver \
-passin file:<(cat "$pw") \
-passout file:<(cat "$pw") |
sed -n '/^-----BEGIN ENCRYPTED PRIVATE KEY-----/,/^-----END ENCRYPTED PRIVATE KEY-----/p'