Last updated: March 18, 2024
1. Overview
In this tutorial, we’ll look at the steps to generate a public key from an existing private key. Specifically, we’ll showcase two different command-line tools for generating the associated public key from a private key.
2. Generate a Public Key from a Private Key Using ssh-keygen
2.1. Installing ssh-keygen
To obtain thessh-keygen program, we’ll install theopenssh-client with our package manager.
For example, in Ubuntu Linux, we perform the installation using apt-get install:
$ sudo apt-get update -qq$ sudo apt-get install -y openssh-client2.2. Extracting the Public Key Using ssh-keygen
We can invoke the ssh-keygen command on our private key, followed by the -y option to generate the associated public key:
$ ssh-keygen -f rsa.pem -yssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+xkWG+Qe6HXgXNRRprik+YFoa80sqoVe...The command above uses the -f option to specify the path to the private key. Then, we specify the -y option to print the public key to the console.
2.3. Converting the Public Key to Different Formats
By default, thessh-keygen generates the public key in the OpenSSH format. We can convert the public key into different formats using the -eand-m options. Specifically, the -eoption tellsssh-keygento display the public key in the format specified by the -moption. The valid formats to which we can convert the public key arerfc4716,pkcs8, andpem.
Note that the pem format here refers to the PKCS#1 format instead of the PEM encoding.
Let’s display the public key in RFC4716 format by running the same command followed by -eand-m rfc4716:
$ ssh-keygen -f rsa.pem -y -e -m rfc4716---- BEGIN SSH2 PUBLIC KEY ----Comment: "2048-bit RSA, converted by user@922ba453f054 from OpenSSH"AAAAB3NzaC1yc2EAAAADAQABAAABAQC+xkWG+Qe6HXgXNRRprik+YFoa80sqoVeanP8rr2DZvGhGwQC950p49KElfqXePICM0Mx1sH7sQTG9XhXYLEM5ZtUYvwWSBUsH1e2qjiodtlSEgVYJt9hS9EB1jPcdwaVMh1/WOc90ilreJMvyavv0bxPJahCnJlUYocK7UgMKK1dzK62fY0QqRJuvlntC8mPtLSAAF0BLlU7BK5wcl626iZfVC/mmV2xO7MqT/NrztqnHSdJ9p5G43rVhmWnjyVRalDHlRgbgQHBRq/nj3L1nd4CByEURfWqMjsjyBVgGw2WPIt1UpaxBW2z2vf5NMjrfU6PHnV34HtvNQp1vE0G5---- END SSH2 PUBLIC KEY ----Similarly, we can display the public key in PKCS#8 or PEM format by specifying the argumentpkcs8andpem, respectively:
$ ssh-keygen -f rsa.pem -y -e -m pkcs8$ ssh-keygen -f rsa.pem -y -e -m pem3. Generate a Public Key from a Private Key Using openssl
3.1. Obtaining openssl
By default,opensslcomes with most of the Linux distros. To verify that the openssl command is present, we can run the openssl version command:
$ openssl versionOpenSSL 1.1.1f 31 Mar 2020If the command results in a “command not found” error on the console, then we’ll need to build it manually. The step-by-step guide can be found in the official OpenSSL team’s repository on GitHub.
3.2. Getting the Public Key using openssl
To extract the public key of a private key filersa.pem, we can use theopenssl pkeysubcommand:
$ openssl pkey -in rsa.pem -pubout-----BEGIN PUBLIC KEY-----MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsZFhvkHuh14FzUUaa4pPmBaGvNLKqFXmpz/K69g2bxoRsEAvedKePShJX6l3jyAjNDMdbB+7EExvV4V2CxDOWbVGL8FkgVLB9Xtqo4qHbZUhIFWCbfYUvRAdYz3HcGlTIdf1jnPdIpa3iTL8mr79G8TyWoQpyZVGKHCu1IDCitXcyutn2NEKkSbr5Z7QvJj7S0gABdAS5VOwSucHJetuomX1Qv5pldsTuzKk/za87apx0nSfaeRuN61YZlp48lUWpQx5UYG4EBwUav549y9Z3eAgchFEX1qjI7I8gVYBsNljyLdVKWsQVts9r3+TTI631Ojx51d+B7bzUKdbxNBuQIDAQAB-----END PUBLIC KEY-----4. Conclusion
In this article, we’ve looked at how we can generate the public key from a given private key using different command-line tools.
We’ve started by demonstrating the ssh-keygen command, which allows us to also convert the public key into different formats in addition to generating it. Then, we’ve also shown the openssl pkey command for obtaining the public key from the private key.
