Openssh Private Key

Openssh private key extension

OpenSSL is a software library for applications that secure communications over computer networks. This article mentions about precise steps to verify an OpenSSL key against a certificate.

OpenSSH's limitation on the number of private keys. The OpenSSH server has a feature (I would call it a bug) that it counts testing whether a particular key can be used for authentication as an authentication attempt. This has the consequence that if the user has more than five keys in.ssh, only some of them work. This often causes key-based. You have an OpenSSH format key and want a PEM format key. It is not intuitive to me, but the suggested way to convert is by changing the password for the key and writing it in a different format at the same time. The command looks like this: ssh-keygen -p -N ' -m pem -f /path/to/key.

You've used ssh-keygen to create a private key file called idrsa.ppk. However this is an OpenSSH-format private key and needs to be converted to Putty's own format to use in Putty.


  • How to verify an OpenSSL key against a certificate?
  • Verify a SSL key matches a certificate
  • Verifying an OpenSSL key matches a certificate
Openssh Private Key


  • Linux


For example we have a certificate file called cert.pem and a key file called key.pem. There are two methods for validation.

  1. Verify using key and certificate component
  2. Verify using MD5 SUM of the certificate and key file
Step 1 – Verify using key and certificate component

Openssl private key contains several modules or a series of numbers. In order to verify the private key matches the certificate check the following two sections in the private key file and public key certificate file. If they match validation is successful.

  • Subject Public Key Info: from certificate file
  • Private-Key: from key file

To open the certificate and key file execute the following commands.

Openssh Private Key File


The modulus in Public Key Algorithm of public certificate matches the modules in Private-Key section of the private key file.

Step 2 – Verify using MD5 SUM of the certificate and key file

Execute the following commands and validate that md5 sum is same for private key and public key certificate file.

Openssh Private Key Format

Output from the above two commands confirms that key matches the certificate.

With the release of OpenSSH 7.8, the default private key format for private keys generated from ssh-keygen has changed from OpenSSL compatible PEM files to a custom key format created by the OpenSSH developers. At the time of writing, the majority of open-source Java SSH APIs will need the keys converting back to the old format before the keys can be used.

Openssh Private Key Invalid Format


Take the standard command-line to generate a 2048 bit RSA key with OpenSSH 7.8 or above.

Ssh With Private Key

This command-line generates a key that looks like this:

If you need to use the old format file still when generating new keys, you can use a new command-line option to specify the type of format required.

This command-line generates the old-style PEM format that is compatible with most Java SSH APIs.

While end-users may be willing to do this in the short-term, the solution is to use a Java SSH API that supports this new format.

Openssh Private Key To Pem

The Maverick Legacy commercial Java SSH APIs have supported the new format since version 1.7.20. With both reading and key generation support for all the algorithms supported by OpenSSH, namely, RSA, ECDSA, and ED25519.

The Maverick Synergy open-source Java SSH API also supports the same algorithms for reading and key generation. With both APIs, the default is to generate new keys with the new format.

To generate a new ed25519 key pair with Maverick Synergy, it’s as simple as

Openssh Key File

Then to store these on file for later use:

We can then load them to use in SSH authentication with the API using:

Openssh Private Key To Public Key

For more information on Maverick Synergy, including download and API documentation, please visit