105

I created a key pair using ssh-keygen and get the two clasic id_rsa and id_rsa.pub.

I imported the public key into my AWS EC2 account.

Now I created a windows instance and to decrypt that instance password, AWS console is asking me for a .pem file. How I can get that .pem file from my two id_rsa and id_rsa.pub files?

6 Answers6

106

According to this, this command can be used:

ssh-keygen -f id_rsa -e -m pem

This will convert your public key to an OpenSSL compatible format. Your private key is already in PEM format and can be used as is (as Michael Hampton stated).

Double check if AWS isn't asking for a (X.509) certificate in PEM format, which would be a different thing than your SSH keys.

fuero
  • 9,879
57

Using ssh-keygen to export the key in the .pem format worked for me.

ssh-keygen -f id_rsa.pub -m 'PEM' -e > id_rsa.pub.pem

Then simply copy the .pem key as necessary.

Options as follows: (See man ssh-keygen)

  • -f id_rsa.pub: input file
  • -m 'PEM': output format PEM
  • -e: output to STDOUT
StackzOfZtuff
  • 2,045
Matt
  • 2,781
22

Initially, when using ssh-keygen, I could generate a public key that was compatible with AWS EC2, but had issues with creating private keys that were compatible. The following creates both public and private keys pairs that are compatible with AWS EC2. 

ssh-keygen -P "" -t rsa -b 4096 -m pem -f my-key-pair

Here's info on each parameter:

  • -P: is for passphrase. Intentionally set to empty.
  • -t: Specifies the type of key to create.  AWS EC2 Key Pair requires RSA. It's my experience that this pertains to the public key that is created.
  • -b: Specifies the number of bits in the key. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
  • -m: Specifies a key format for key generation. Setting a format of “PEM” when generating a supported private key type will cause the key to be stored in the legacy PEM private key format.  AWS EC2 Key Pair need the legacy format
  • -f: Specifies the output filename of the key file

Resources:

For more information on ssh-keygen, see: https://man.openbsd.org/ssh-keygen.1

AWS - EC2 Key Pairs - https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

Mike Barlow - BarDev
  • 556
  • 5
  • 8
11

id_rsa is the file that you have to use to decrypt the Windows EC2 instance password, but just make sure that the file you copy paste is not phrase protected.

I solved the problem getting a temporarily unprotected the id_rsa file with something like:

$ openssl rsa -in ~/.ssh/id_rsa -out tmp_file.pem
slm
  • 8,010
0

Add your public key on your server to authorized_keys

cat .ssh/id_rsa.pub >> .ssh/authorized_keys

or you can add it manually using your text editor in your server.

Copy your private key in your server

cp .ssh/id_rsa /home/your_user/your_key.pem

Now in your client PC, download a key from server

scp your_user@yourhostserver.com:/home/your_user/your_key.pem /home/your_local_user/Downloads/
Dita Aji Pratama
  • 111
  • 6
0

When you launch an EC2 instance, you assign to it a key pair (or none). It cannot be changed afterwards.

Only using that .pem file from that key pair will you be able to decrypt the Windows password.

The .pem file would have been downloaded when the key pair was created. You cannot get it again. If you have lost it, you're out of luck.

You cannot use a .pem file that you generated yourself unless you imported that key into AWS before the instance was launched and assigned it to the instance.

Simply put, if you don't have the original .pem file, you cannot get the password.

Edit: after re-reading the question, I realize the OP had imported his key into AWS.

Matt Houser
  • 10,338
  • 1
  • 31
  • 28