In Keychain Access on OS X, Find matching public and private keys

keychainkeychain-accesspublic-key

I have a couple keys that seem to have been generated with the same names. I would like to know which public key match up with which private keys so I can rename/delete them. Is this something that is important (keeping around the public key) or does a public key get generated each time you request a certificate?

Best Answer

I guess you have been able to get around your problem as this is an old thread, but I am just writing a reply for any future reference.

The basic idea is to export your private and public keys, and use openssl to view their modulus. Matching private/public keys will have the same modulus.

Here is how to see the modulus of a private key:

In Keychain Access export your private key and select "Personal Information Exchange (.p12)" file format. This will create .p12 file.
Launch a terminal and use openssl to convert your .p12 file to a .pem file:
```
openssl pkcs12 -in key.p12 -out key.pem -nodes
```
Use openssl to view the modulus of the pem private key:
```
openssl rsa -in key.pem -modulus -noout
```

Here is how to see the modulus of a public key:

In Keychain Access export your public key and select "Privacy Enhanced Mail (.pem)" file format. This will create .pem file.
This .pem file is a PKCS#1 PEM file (with a header -----BEGIN RSA PUBLIC KEY-----), while openssl can only read PKCS#8 PEM (with a header -----BEGIN PUBLIC KEY-----). So open up your exported public key in TextEdit and remove the RSA bit from the header and the footer, and save the changes.
Use openssl to view the modulus of the pem public key:
```
openssl rsa -pubin -in pubkey.pem -modulus -noout
```

Please also note that in fact, you could also delete your public keys and re-create them from the private keys (that way you could be certain of your matching pairs). To create the matching public key from a private key use the following openssl command:

openssl rsa -in key.pem -pubout -out pubkey.pem

Related Solutions

Is it ok to share private key file between multiple computers/services

You should definitely have separate private keys per origin. Basically that means there should generally be a single copy of each private key (not counting backups). It's ok to use the same private key from closely related machine, in situations where breaking into one basically gives you access to the other (for example if they're in each other's shosts.equiv). Don't use the same private key on machines in different realms (e.g. home and work), never share a private key between two users, and never share a private key between a laptop and any other machine.

For the most part, I don't see the point in having different private keys for different destinations. If a private key is compromised, all other private keys stored in the same directory will surely be compromised as well, so there would be added complication for no security benefit.

If you follow these principles, each key pair identifies one (machine, user) pair, which makes authorization management easier.

I can think of two exceptions to the general rule of a single private key per origin:

If you have a passwordless key that gives access only to a specific command on a specific machine (e.g. an automated backup or notification mechanism), that key must be different from the general shell access key.
If some machines are intermittently connected, you might have an old private key alongside a new private key, until you get around to finish deploying the new key.

The difference between the .pem and .pub and non suffixed ssh credentials files

.pub file format is used by SSH for public key store, this key need to share with a Server.

.pem(Privacy Enhanced Mail) is a base64 container format for encoding keys and certificates. .pem download from AWS when you created your key-pair. This is only a one time download and you cannot download it again.

.ppk(Putty Private Key) is a windows ssh client, it does not support .pem format. Hence you have to convert it to .ppk format using PuTTyGen.

non suffixed ssh file is a private key

Convert PEM to PPK file format

puttygen server.pem -O private -o server.ppk

Create a PEM from a PPK file

puttygen server.ppk -O private-openssh -o server.pem

Best Answer

Related Solutions

Is it ok to share private key file between multiple computers/services

The difference between the .pem and .pub and non suffixed ssh credentials files

Related Question