22

The ssh-keygen command generates .pub files which it describes as "public key files", but they are a totally different format to most "public key files" I've usually seen, which are in PEM format. The ssh-keygen-style files look like this:

ssh-rsa AAAAB3NzaC1... user@host

... whereas the PEM files look like this:

-----BEGIN CERTIFICATE----- MIIGZjCCBU6gAwIBAgIDCIrNMA0GCSqGSIb3DQEBBQUAMIGMMQsw... -----END CERTIFICATE-----

Are these two formats interchangeable, or are they performing a fundamentally different purpose? I came across this problem because I wanted to get the RSA2 key fingerprint of my PEM-encoded public key file, but the method usually suggested to do it (ssh-keygen -l) says that my PEM-encoded file "is not a public key file".

By the way, I'm aware of this answer, but it doesn't cover the .pub files generated by ssh-keygen.

Improve this question
3
  • 1
    Well, an SSH public key is not the same as a certificate in PEM format. Have you looked at this? serverfault.com/questions/114301/… Commented Dec 28, 2012 at 20:31
  • 2
    It is important to be particular here, that you are probably looking at OpenSSH, and not the less common SSH.COM, or other implementations. Standard PEM encoded public key is actually valid for some less common implementations. I know a VMS box I connect to requires a PEM file. Commented Dec 28, 2012 at 20:33
  • 1
    @cjc, Right, it isn't a certificate, but it isn't also isn't even the same as what you get by running openssl rsa -in privatekey_rsa -pubout, which actually is a public key, and not a certificate. Commented Dec 28, 2012 at 20:42

1 Answer 1

Reset to default
9

OpenSSH key pairs are not PEM or any other x500 standard. New versions of OpenSSH can use X.509 PEM keys, but that's another ball of wax separate from ssh-keygen, and has to be configured explicitly. As best I know, no major implementation of SSH uses the exact same key formats as any other.

As Zoredache notes, if you're using something other than OpenSSH (deus iuvo vos), then it could be darn near anything.

Improve this answer
1
  • 1
    Yes, indeed, I had confused SSH and SSL! My OpenSSH daemon was in fact using a .pub file on my server, at /etc/ssh/ssh_host_rsa_key.pub and was not using any of the SSL certificate authority architecture. When I ran ssh-keygen -l on that file, it gave me the server's RSA2 key fingerprint. Commented Dec 28, 2012 at 20:52

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.