How to quickly identify SSH private key file formats

pkcsprivate-keysshssh-keys

Triggered today by Remote Desktop Manager, whose SSH Key Generator offered to save a private key in OpenSSH format, but then proceeded to store it in PKCS#1 / OpenSSL format, while using the same random *.pri file extension for two of the offered formats.

I just wanted to connect to an AWS EC2 instance, but WinSCP, FileZilla and PuTTY all use different private key formats.

Feel free to offer more insight, this is just my current incomplete understanding.

Best Answer

The file extension is often either random or not enough to identify the format.

Broad categories:

PEM files with ASN.1 data, encoded with DER
PEM files with data encoded in some other format
Non-PEM formats

PEM files wrap Base64 between -----BEGIN----- and -----END----- "tags". They are also commonly used to contain both private key and SSL certificate (-chain). Use an online ASN.1 decoder to check the Base64 contents of a PEM file.

PEM Files

PKCS#1 / OpenSSL: id_rsa, *.pem, *.der, *.key, ...

-----BEGIN RSA PRIVATE KEY-----

PuTTY Key Generator calls this "OpenSSH SSH-2 private key (old PEM format)" (?). The "SSLeay" or "traditional" format, according to this answer. Base64 starts with MII.... ASN.1 content. More info.

PKCS#8: *.pem, *.der, *.key, ...

-----BEGIN PRIVATE KEY----- or -----BEGIN ENCRYPTED PRIVATE KEY-----

Base64 of the unencrypted variation starts with MII...IBADAN. ASN.1 content, basically PKCS#1 plus version info. More info.

OpenSSH: *.??? (don't know what a typical file extension would be)

-----BEGIN OPENSSH PRIVATE KEY-----

PEM on the outside, but non-ASN.1 content. Apparently a somewhat undocumented format.

Non-PEM Files

PuTTY Private Key: *.ppk

Content also contains human readable words identifying it as a putty private key.

PKCS#12 / PFX: *.p12, *.pfx

PFX is a Microsoft format, later released in cleaned-up form as PKCS#12. The content is binary, and can contain not only a private key, but also an SSL certificate (-chain).

Related Solutions

Linux – have more than 1 private key in ~/.ssh

There are a few options you can take here. In all options you would store the other key in its own file, /home/user/.ssh/id_rsa for these examples.

1) When you want to use a key other than ~/.ssh/id_rsa specify it with the -i argument ssh -i ~/.ssh/id_rsa.otherkey user@server.example.com

2) If you want to use the key multiple times in your current session, add it to your ssh-agent with ssh-add: ssh-add ~/.ssh/id_rsa.otherkey

3) If you want to set this up more permanently you can specify the keys in ~/.ssh/config along the lines of:

Host shortcut
 HostName server.example.com
 User user
 IdentityFile /home/user/.ssh/id_rsa.otherkey

Linux – WinSCP and PuttyGen fail on conversion of openSSH private key to PEM or PPK formtype on windows

I had the same issue.
Generated ssh keys using rsa, 2048 and git bash.Using PuttyKey Gen to convert failed.
I then downloaded the latest version and it worked.
Version 0.74 according to help / about.

There is new functionality even though I've been using the same format for several years. Possibly Windows Git Bash uses new openssh or a newer process.