Key To Pem Openssl


OpenSSH to OpenSSL

  1. Openssl Binary Key To Pem
  2. Public Key To Pem Openssl
  3. Convert Rsa Key To Pem Openssl

Alice $ openssl genrsa -aes128-out aliceprivate.pem 1024 This command uses OpenSSL's genrsa command to generate a 1024-bit public/private key pair. This is possible because the RSA algorithm is asymmetric. 'openssl enc' Converting Keys from Binary to PEM 'openssl dsa' Viewing Private and Public Key Pair Certificate X.509 Standard and DER/PEM Formats Migrating Keys from 'OpenSSL' Key Files to 'keystore' Using Certificates in IE Using Certificates in Google Chrome Using Certificates in Firefox Outdated Tutorials References. $ openssl x509 -in hostname.crt -inform DER -out hostname.crt.pem -outform PEM $ openssl rsa -in hostname.key -out hostname.key.pem -outform PEM Then to create the.pem I usually use just concat the two together with the PEM formatted certificate first and the key second. So the first issue is that (according to the man pages for OpenSSL (man 3 pem)), OpenSSL is expecting the RSA key to be in PKCS#1 format. Clearly this isn't what ssh-keygen is working with. You have two options (from searching around). If you have OpenSSH v.

Openssl extract key from pem

OpenSSH private keys are directly understable by OpenSSL. You can test for example:

You can also convert then to PEM format easily (notice, format for SSH private keys and PEM is very close):

So, you can directly use it to create a certification request:

You can also use your ssh key to create a sef-signed certificate:

Notice I have not found how to manipulate ssh public key with OpenSSL

OpenSSL to OpenSSH

Private keys format is same between OpenSSL and OpenSSH. So you just a have to rename your OpenSSL key:

In OpenSSL, there is no specific file for public key (public keys are generally embeded in certificates). However, you extract public key from private key file:

GnuPG to OpenSSH

First, you need to know fingerprint of your RSA key. You can use:

Next, you can use openpgp2ssh tool distributed in with monkeyshpere project:

A few notes are necessary:

  • 01234567 must be fingerprint of a RSA key (or subkey)
  • gpg --export-secret-keys also accept finger print of global key (in this case, it exports all sub-keys). However, openpgp2ssh only accept finger print of an RSA key
  • If no arguments are provided, openpgp2ssh export RSA keys it find

You can now extract ssh public key using:

GnuPG to OpenSSL

We already saw all steps. Extract key as for ssh:

You can can convert this key to PEM format:

You can create a certification request:

You can create a sef-signed certificate:


Gpgsm utility can exports keys and certificate in PCSC12:

You have to extract Key and Certificates separatly:

You can now use it in OpenSSL.

You can also do similar thing with GnuPG public keys. There will be only certificates output.



Invert process:


Now, chain processes:

We need to protect key, else ssh refuse it.

Openssl Binary Key To Pem


First we need to create a certificate (self-signed) for our ssh key:

We can now import it in GnuPG

Public Key To Pem Openssl

Notice you cannot import/export DSA ssh keys to/from GnuPG

Convert Rsa Key To Pem Openssl

This function can be used to create a private key for use by JCE in Java. For example, a private key could be generated by a PHP script and the result could be used in a Java client application.
Java requires the private key in DER format with some extra ASN.1 wrapping. The function below can be used to convert the output of openssl_pkey_export into a format suitable for input into JCE:
function derLength($length) {
if (
$length < 128) return str_pad(dechex($length), 2, '0', STR_PAD_LEFT);
$output = dechex($length);
if (
strlen($output) % 2 != 0) $output = '0'.$output;
dechex(128 + strlen($output)/2) . $output;
convertPemToDer($pem) {
$matches = array();
if (!
preg_match('~^-----BEGIN ([A-Z ]+)-----s*?([A-Za-z0-9+=/rn]+)s*?-----END 1-----s*$~D', $pem, $matches)) {
'Invalid PEM format encountered.'.'n');
$derData = base64_decode(str_replace(array('r', 'n'), array(', '), $matches[2]));
$derData = pack('H*', '020100300d06092a864886f70d010101050004'.derLength(strlen($derData))) . $derData;
$derData = pack('H*', '30'.derLength(strlen($derData))) . $derData;

Example use:
= openssl_pkey_new(array('digest_alg' => 'sha1', 'private_key_type' => OPENSSL_KEYTYPE_RSA, 'private_key_bits' => 2048));
if (
$keys false) die('Failed to generate key pair.'.'n');
if (!
openssl_pkey_export($keys, $privateKey)) die('Failed to retrieve private key.'.'n');
$javaKey = convertPemToDer($privateKey);
file_put_contents('key_for_java.der', $javaKey);

Exporting a public key for use with JCE is trickier, since the Java libraries require the key to be input as a byte array. In effect, the public key outputted by openssl_pkey_get_details() must be base64 decoded as above, and then parsed as ASN.1 to receive the actual key bytes (this can be done either on the PHP side or the Java side).
The following link is an invaluable resource to understanding the output from these functions:
'A Layman's Guide to a Subset of ASN.1, BER, and DER'