How to export a private key to RSA PEM format with ssh-keygen

To manage authentication to ssh or sftp services I always do it through ssh keys, and I usually generate them with the following ssh-keygen command:

ssh-keygen -t rsa -b 4086 -C usersftp@localhost -f userftp -N srmTG304y

This command creates the private key and the public of type RSA with a key size of 4096 bits and with a passphrase srmTG304y:

operatoruser@ubuntu2004:~$ ssh-keygen -t rsa -b 4086 -C usersftp@localhost -f userftp -N srmTG304y
Generating public/private rsa key pair.
Your identification has been saved in userftp
Your public key has been saved in userftp.pub
The key fingerprint is:
SHA256:zO4w9sUnUAlLBTcFCmAay3LqNIKnmDb7i/8pMXSVFVU usersftp@localhost
The key's randomart image is:
+---[RSA 4086]----+
|  . o.. *=B+oE   |
| . =   = = o     |
|. =   . o o      |
|.+ . . o .       |
|+oo .   S        |
|=+.o   . o       |
|++  o + . + .    |
|. +. ..= . o     |
| oo++o  o        |
+----[SHA256]-----+
operatoruser@ubuntu2004:~$

The two files created:

operatoruser@ubuntu2004:~$ ls -la userftp*
-rw------- 1 operatoruser operatoruser 3430 Sep 24 17:18 userftp
-rw-r--r-- 1 operatoruser operatoruser  740 Sep 24 17:18 userftp.pub
operatoruser@ubuntu2004:~$

The private key is:

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABBLo/uQfY
/kBJYL2DmezsjJAAAAEAAAAAEAAAIVAAAAB3NzaC1yc2EAAAADAQABAAAB/yz1CEW9hKa8
RzgIEfSlt0vtnYaNeDYKNUa99ygU+k6FyoPKUVRx4oa1Rlxt9RKNxbWm+DfyoKho/x03J7
qt8CiCHlim1sv81Etx/r+R5QFjDd833uXpxDsDgtkyLY3Fsw+baMjj65ZDhv4YLmdUFXu2
...
...
8DL8+5L0n94vTFrgCxnBA67K+cDTCPX7YfoN47pfa1ZGSCV+dLjXpRoiXxAjMHWi8pn/Q7
t0r+bTVJG5uj1Xqz5IhxSArZWD4g+SlB1OxOztbRJt/eRsJbMMYsvpej7UIFbUUPHqtnVh
OJiaUxdm4A0JqbFLtTrbjfiAamcve23oj4ZBYL7tQ43FXT25FkaBlcAvReSEXvUk1zXVs5
yRVsIl/eiKSTQmUZd6NoTs
-----END OPENSSH PRIVATE KEY-----

And the public key is the file that has a .pub extension:

ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAB/yz1CEW9hKa8RzgIEfSlt0vtnYaNeDYKNUa99ygU+k6FyoPKUVRx4oa1Rlxt9RKNxbWm+DfyoKho/x03J7qt8CiCHlim1sv81Etx/r+R5QFjDd833uXpxDsDgtkyLY3Fsw+baMjj...
...
3iAX1KVC9QVnV6vEzJhmZe7zUTKV7v8OkH/2C9Jz2ISkOSBS2yOgsGePu5E659bXxkDhKYSVjQiC1G6gDbzSdqOfW61DeH2WjJN1MxSeyVvysH6fTAkNJ4hPRxPR4Amb/dqCAf9kc= usersftp@localhost

The public key is sent to the administrator of the ssh or sftp service to which we want to connect so that it can be added to the file known_hosts, and with the private key the client authenticates.

Many times a product fails to authenticate with the private key in this format that generates by default ssh-keygen and that is identified with the header "BEGIN OPENSSH PRIVATE KEY" and therefore must be converted to another format such as PEM RSA. This occurs for example with older versions of NIFI that do not authenticate an SFTP with this type of private key and require a PEM RSA format.

The ssh-keygen man does not help much and seems to indicate that with the -e option this conversion is made:

     -e      This option will read a private or public OpenSSH key file and print to stdout a public key in one of the formats specified by the -m option.
             The default export format is “RFC4716”.  This option allows exporting OpenSSH keys for use by other programs, including several commercial SSH
             implementations.

But it doesn't give many clues as to how to do it.

To convert or export the public key to RSA PEM format we run the -e command along with the -m PEM option:

ssh-keygen -e -f userftp -m PEM

That gives us in console output the public key in RSA PEM format:

operatoruser@ubuntu2004:~$ ssh-keygen -e -f userftp -m PEM
-----BEGIN RSA PUBLIC KEY-----
MIICCAKCAf8s9QhFvYSmvEc4CBH0pbdL7Z2GjXg2CjVGvfcoFPpOhcqDylFUceKG
tUZcbfUSjcW1pvg38qCoaP8dNye6rfAogh5YptbL/NRLcf6/keUBYw3fN97l6cQ7
...
...
Xu81Eyle7/DpB/9gvSc9iEpDkgUtsjoLBnj7uROufW18ZA4SmElY0IgtRuoA280n
ajn1utQ3h9loyTdTMUnslb8rB+n0wJDSeIT0cT0eAJm/3aggH/ZHAgMBAAE=
-----END RSA PUBLIC KEY-----

And to convert the private key you must specify the -p option indicating the passphrase of the current private key (option -P) and that of the new private key (option -N) (if you do not have passphrase put ''). Very important: modify the file that is specified in the -f option so it is advisable to make a backup before so as not to lose the private key in openssh format:

ssh-keygen -e -p -P srmTG304y -N srmTG304y -f userftp -m pem

That when you run it you have the following output:

operatoruser@ubuntu2004:~$ ssh-keygen -e -p -P srmTG304y -N srmTG304y -f userftp -m pem
Key has comment 'usersftp@localhost'
Your identification has been saved with the new passphrase.
operatoruser@ubuntu2004:~$

And now the file of the private key we see that it has changed to the new format:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,F0DF3CEE59B37DCC664C520BE07BB96E

X9ZzQV2tUqEPZzTTXQyQTLN6mTXamf7Sd37uyDo8aRTW45r0xwcrh0s1ayTqzE/O
+y4F+9VMKB8hJeLnNRkNdamZeQyf6i6fkKpcEcUNfbZgj5Nwj6/STqxHXODLD/Db
...
...
cwoaIak9t1kU87iibHnrzeIrD9ddQv+zlMPqb5uV8O7fY9KPdALZf4BF0/Uc8ump
66j1gLRMiFAi1olZ4DZRYbvPQ8foYT7mUeMpX0jaT+SZstekwlUSPtxXI4QpdBeg
-----END RSA PRIVATE KEY-----

It has nothing to do with the format that is put on the server to which you want to authenticate with that of the consumer. On the server can be the public key of openssh format and in the consumer product the private key RSA PEM.

Many other applications such as WinSCP require the putty private key format (ppk) and this is generated with the puttygen.exe tool.