153

I'm trying to create a private key and having an issue.

When I use ssh-keygen -t rsa -b 4096 -C "your_email@example.com", I get a private key in the following format.

-----BEGIN OPENSSH PRIVATE KEY-----
uTo43HGophPo5awKC8hoOz4KseENpgHDLxe5UX+amx8YrWvZCvsYRh4/wnwxijYx
...
-----END OPENSSH PRIVATE KEY-----

And this is not being accepted for an application that I'm trying to use.

I'm expecting a key in the following RSA format.

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,25737CC2C70BFABADB1B4598BD8AB9E9

uTo43HGophPo5awKC8hoOz4KseENpgHDLxe5UX+amx8YrWvZCvsYRh4/wnwxijYx
...
-----END RSA PRIVATE KEY-----

How do I create the correct format? This is weird because every other mac I have creates the correct format, except the one I'm having problem with.

I'm on a fresh installed Mac OS Mojave

Bruce Becker
  • 312
Moon
  • 2,243

3 Answers3

153

I faced the same problem recently (after upgrade to mojave 10.14.1), here are 2 possible solutions for this issue.

  • Downgrade your ssh-keygen binary (you can easily get old version from any linux/docker image)

OR

  • Add option -m PEM into your ssh-keygen command. For example, you can run ssh-keygen -m PEM -t rsa -b 4096 -C "your_email@example.com" to force ssh-keygen to export as PEM format.

It seems like in the current ssh-keygen version in mojave, the default export format is RFC4716 as mentioned here

Mark
  • 168
sayboras
  • 1,654
132

New keys with OpenSSH private key format can be converted using ssh-keygen utility to the old PEM format.

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

There is no need to downgrade to older OpenSSH just to achieve this result.

mydeardiary
  • 1,421
5

Some elaboration on the above answers to provide a clear path for both the public and private key.

You can directly export (-e) your ssh keys to a pem format:

For your public key:

cd ~/.ssh
ssh-keygen -e -m PEM -f id_rsa > id_rsa.pub.pem

For your private key:

Things are a little tricker as ssh-keygen only allows the private key file to be change 'in-situ'. (i.e. it replaces your key file with the new file).

So you can keep your old file:

Given we are just exporting the file the <new pass phrase> can be identical to your <old pass phrase> (unless you want to change the pass phrase at the same time).

cd ~/.ssh
cp id_rsa id_rsa.bak
ssh-keygen -p -P "<old pass phrase>" -N "<new pass phrase>" -m PEM -f id_rsa 
cp id_rsa id_rsa.priv.pem
cp id_rsa.bak id_rsa

NOTE: it is a bad idea to pass your pass phrase as an argument to a cli app.

The secure method is:

cd ~/.ssh
cp id_rsa id_rsa.bak
ssh-keygen -p  -m PEM -f id_rsa 
cp id_rsa id_rsa.priv.pem
cp id_rsa.bak id_rsa

With this method you will be prompted for your old and new pass phrase.

Note: after converting your private key file to a .pem the file is now in clear text, this is bad.

Brett Sutton
  • 191