Skip to content

Instantly share code, notes, and snippets.

@mingfang
Last active October 2, 2024 14:21
Show Gist options
  • Save mingfang/4aba327add0807fa5e7f to your computer and use it in GitHub Desktop.
Save mingfang/4aba327add0807fa5e7f to your computer and use it in GitHub Desktop.
Convert id_rsa to pem file
openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
chmod 600 id_rsa.pem
@paxan
Copy link

paxan commented Oct 3, 2017

should be chmod 600 id_rsa.pem

@HighwayofLife
Copy link

An rsa id_rsa key is exactly the same format as the output indicated here. So this ultimately does nothing other than duplicate the file an append a .pem extension.

@etiago
Copy link

etiago commented Mar 11, 2018

☝️ inclined to agree @HighwayofLife , this does nothing to the file format... although had an interesting side effect for me: it decrypted the file as my id_rsa was originally password-protected.

@adriaandotcom
Copy link

And if you need the public key as a pem use this

ssh-keygen -f ~/.ssh/id_rsa.pub -m 'PEM' -e > public.pem
chmod 600 public.pem

@coolaj86
Copy link

I had to read through the source and I built a solution in JavaScript, of all things.

So if you install https://nodejs.org you can get ssh-to-jwk, jwk-to-ssh, rasha, and eckles which, between the four, will convert it any which way:

npm install -g ssh-to-jwk jwk-to-ssh rasha eckles

RSA

ssh-to-jwk ~/.ssh/id_rsa > privkey.jwk.json
rasha privkey.jwk.json pkcs8 > privkey.pem
chmod 0600 privkey.pem
rasha privkey.pem jwk > privkey.jwk.json
jwk-to-ssh privkey.jwk.json root@localhost > id_rsa
chmod 0600 id_rsa

ECDSA

ssh-to-jwk ~/.ssh/id_ecdsa > privkey.jwk.json
eckles privkey.jwk.json pkcs8 > privkey.pem
chmod 0600 privkey.pem
eckles privkey.pem jwk > privkey.jwk.json
jwk-to-ssh privkey.jwk.json root@localhost > id_ecdsa
chmod 0600 id_ecdsa

Docs and such:

@coolaj86
Copy link

@etiago @HighwayofLife OpenSSH has its own Private Key format.

@giacomo-m
Copy link

Hi, running openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem i get this error:

unable to load Private Key
140735944156104:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY

can you help me?

Thanks.

@kollaesch
Copy link

@giacomo-m
Apple uses a different openssl-"package". In general it's recommened to install openssl on macos via @brew-package. (formerly homebrew)
The apple-package is missing some functionality. That seems to be the case here.

@243826
Copy link

243826 commented Jan 10, 2019

@kollaesch doesn't seem to be the case. I still got:

@macbook:~/work$ openssl dsa -in id_dsa -outform pem
read DSA key
unable to load Private Key
140736256754632:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: ANY PRIVATE KEY
unable to load Key

@sauravexodus
Copy link

@kollaes

Hi, running openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem i get this error:

unable to load Private Key
140735944156104:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY

can you help me?

Thanks.

Can you try generating the private key using ssh-keygen

@kythanh
Copy link

kythanh commented Mar 19, 2019

I had the same problem and fixed by adding -m PEM when generate keys.

So the gen key command look like:

ssh-keygen -t rsa -b 4096 -m PEM

Then you can get pem from your rsa private key.

openssl rsa -in id_rsa -outform pem > id_rsa.pem

@kollaesch doesn't seem to be the case. I still got:

@macbook:~/work$ openssl dsa -in id_dsa -outform pem
read DSA key
unable to load Private Key
140736256754632:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: ANY PRIVATE KEY
unable to load Key

@Khrol
Copy link

Khrol commented Mar 19, 2019

Expecting: ANY PRIVATE KEY

I have this error only with 4096-bit key. Looks like it's the problem.

@KevinJCross
Copy link

yup Ive got this same problem with a 4k key too

@jgamblin
Copy link

@joaquinclearmetal
Copy link

unable to load Private Key
140149128779416:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: ANY PRIVATE KEY```

On both macOS and Ubuntu 16.  I don't want to gen a new key, as i have the pub key installed on several servers.

@andreif
Copy link

andreif commented Aug 12, 2019

For private keys in OpenSSH format that use passphrase, you can convert them to PEM format using

ssh-keygen -f my-rsa-key -m pem -p

Note: when it was missing -p argument I got Expecting: ANY PRIVATE KEY error.

@bnabriss
Copy link

bnabriss commented Sep 8, 2019

For private keys in OpenSSH format that use passphrase, you can convert them to PEM format using

ssh-keygen -f my-rsa-key -m pem -p

Note: when it was missing -p argument I got Expecting: ANY PRIVATE KEY error.

Thanks, after hours of searching this is one works with me.
I used this for sftp with phpstorm

@jonathanmv
Copy link

Please bare in mind that ssh-keygen -f my-rsa-key -m pem -p will modify your existing file. In this case my-rsa-key

@gabmontes
Copy link

@kythanh solution worked for me!

@xtealer
Copy link

xtealer commented May 3, 2020

I had the same problem and fixed by adding -m PEM when generate keys.

So the gen key command look like:

ssh-keygen -t rsa -b 4096 -m PEM

Then you can get pem from your rsa private key.

openssl rsa -in id_rsa -outform pem > id_rsa.pem

@kollaesch doesn't seem to be the case. I still got:

@macbook:~/work$ openssl dsa -in id_dsa -outform pem
read DSA key
unable to load Private Key
140736256754632:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: ANY PRIVATE KEY
unable to load Key

This worked for me.

@robvanderleek
Copy link

FWIW, this worked for me on macOS 10.15.5 to convert (in-place, will modify original file!) a private key file id_rsa to the PEM format:

$ ssh-keygen -p -m PEM -f ./id_rsa

@thayshiva
Copy link

I had the same problem and fixed by adding -m PEM when generate keys.

So the gen key command look like:

ssh-keygen -t rsa -b 4096 -m PEM

Then you can get pem from your rsa private key.

openssl rsa -in id_rsa -outform pem > id_rsa.pem

@kollaesch doesn't seem to be the case. I still got:

@macbook:~/work$ openssl dsa -in id_dsa -outform pem
read DSA key
unable to load Private Key
140736256754632:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: ANY PRIVATE KEY
unable to load Key

Thanks, this worked for me as well.

@kadircs
Copy link

kadircs commented Feb 16, 2021

This worked!!! But as others said, your private key is overwritten.

For private keys in OpenSSH format that use passphrase, you can convert them to PEM format using

ssh-keygen -f my-rsa-key -m pem -p

Note: when it was missing -p argument I got Expecting: ANY PRIVATE KEY error.

@dzmitry-lahoda
Copy link

@coolaj86 tried to run on windows, got errors (rsa -> jwt json)

C:\Users\dz\.ssh> ssh-to-jwk id_rsa
C:\Users\dz\AppData\Roaming\npm\node_modules\ssh-to-jwk\lib\ssh-parser.js:135
    len = dv.getUint32(index, false);
             ^

RangeError: Offset is outside the bounds of the DataView
    at DataView.getUint32 (<anonymous>)
    at Object.SSH.parseElements (C:\Users\dz\AppData\Roaming\npm\node_modules\ssh-to-jwk\lib\ssh-parser.js:135:14)
    at Object.SSH.parse (C:\Users\dz\AppData\Roaming\npm\node_modules\ssh-to-jwk\lib\ssh-parser.js:23:24)
    at Object.<anonymous> (C:\Users\dz\AppData\Roaming\npm\node_modules\ssh-to-jwk\bin\ssh-to-jwk.js:26:16)
    at Module._compile (internal/modules/cjs/loader.js:1063:30)
    at Object.Module._extensions..js (internal/modules/cjs/loader.js:1092:10)
    at Module.load (internal/modules/cjs/loader.js:928:32)
    at Function.Module._load (internal/modules/cjs/loader.js:769:14)
    at Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:72:12)
    at internal/main/run_main_module.js:17:47

@mattiacantalu
Copy link

I had the same problem and fixed by adding -m PEM when generate keys.

So the gen key command look like:

ssh-keygen -t rsa -b 4096 -m PEM

Then you can get pem from your rsa private key.

openssl rsa -in id_rsa -outform pem > id_rsa.pem

@kollaesch doesn't seem to be the case. I still got:

@macbook:~/work$ openssl dsa -in id_dsa -outform pem
read DSA key
unable to load Private Key
140736256754632:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:697:Expecting: ANY PRIVATE KEY
unable to load Key

Worked to me too. Thanks man !

@tarcisiomiranda
Copy link

Just run this

ssh-keygen -f ~/.ssh/id_rsa.pub -e -m pem > ~/.ssh/id_rsa.pub.pem

@linuxtim
Copy link

Some of the examples above contain insecure use of chmod.
In general to create a file securely, always set the umask first! e.g.

$ rm -f examplefile ; ( umask 0077 && echo "" > examplefile ) ; ls -l examplefile
-rw------- 1 tim tim 1 Feb 26 13:55 examplefile
$  rm -f examplefile ; ( umask 0377 && echo "" > examplefile ) ; ls -l examplefile
-r-------- 1 tim tim 1 Feb 26 13:55 examplefile

...if you don't do that, then your file creation is subject to a race condition, and can be maliciously read between you creating it, and chmodding it...

@andreif
Copy link

andreif commented Feb 26, 2024

Huh, TIL! Thanks @linuxtim!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment