1

I am attempting to create a public/private key pair using ssh-keygen. I need the key to be in PKCS1 format so that it states "BEING RSA PRIVATE KEY". No matter what I try it appears to only create in PKCS8 format. Any thoughts on what the issue could be?

I am running the following command:

 ssh-keygen -m PEM -t rsa -b 2048

From my understanding specifying the -m PEM format should create it in PKCS1 format. I am expecting the header of the key to state

-----BEGIN RSA PRIVATE KEY-----

but instead it states

-----BEGIN PRIVATE KEY-----

This leads me to believe it is in PKCS8 format. Any thoughts on how to fix this? I am using openssh version 7.4p1.

IT_User
  • 210
  • 1
  • 3
  • 22
  • Should you generate the keypair using OpenSSL? – Tero Kilkanen Aug 31 '20 at 17:24
  • @TeroKilkanen when I run a "yum whatprovides ssh-keygen" is states it is provided by openssh-7.4p1-13.el7_4.x86_64 – IT_User Aug 31 '20 at 17:28
  • Yes, that is SSH. OpenSSL is the usual tool to generate RSA and other keypairs. Is there a reason not to use OpenSSL? – Tero Kilkanen Aug 31 '20 at 17:32
  • @TeroKilkanen not that I am aware of, just how the system is setup. Should I just be able to install a compatible openssl and overwrite the ssh-keygen executable that gets called with the one provided by the openssl rpm? – IT_User Aug 31 '20 at 17:34
  • Without further details on the surrounding system I cannot give any answers. – Tero Kilkanen Aug 31 '20 at 17:44

2 Answers2

0

Stop using the option -m PEM. Just generate the key normally.

Michael Hampton
  • 244,070
  • 43
  • 506
  • 972
  • I did this and same result. – IT_User Aug 31 '20 at 16:47
  • @Azifor Are you sure about that? Every time I do it, I get `-----BEGIN RSA PRIVATE KEY-----`. – Michael Hampton Aug 31 '20 at 16:49
  • Ran this command " ssh-keygen -t rsa -b 2048 -f test3". And the header states "head -1 test3" -----BEGIN PRIVATE KEY----- Not sure how to format inside of comments but I copy/pasted those commands form the system. – IT_User Aug 31 '20 at 16:50
  • @IT_User Are you sure you're using openssh? In any case, the key should be usable as it is. If not, you should specify what you are trying to do with it. – Michael Hampton Aug 31 '20 at 16:52
  • Some application it expects the key to state "BEGIN RSA PRIVATE KEY" so it is not usable. They require the pkcs1 format. From what I can tell I am. I see that ssh-keygen is provided by openssh-7.4p1-13.el7_4.x86_64 (yum whatprovides) – IT_User Aug 31 '20 at 16:54
  • @IT_User OK, then edit the file and put the word `RSA` in it yourself. Make sure to do it at the end too. – Michael Hampton Aug 31 '20 at 16:55
0

Make sure your ssh-keygen supports -m and try using lowercase format value, e.g. -m pem.

For example,

$ ssh-keygen -b 2048 -t rsa -m pem -f /tmp/pem_rsa -N "" 2>/dev/null 1>/dev/null && head -n2 /tmp/pem_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA1WLQy9mF43mVJTaTJq8e/aGs5HNMxHYx2wFra5tdMfEk3Li7

$ ssh-keygen -b 2048 -t rsa -m pkcs8 -f /tmp/pkcs8_rsa -N "" 2>/dev/null 1>/dev/null && head -n2 /tmp/pkcs8_rsa
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDLX2+JYL4Rf+JT
mforsetti
  • 2,666
  • 2
  • 16
  • 20