Last active
April 24, 2025 12:22
-
-
Save salex89/f0fa57965950aa987a14 to your computer and use it in GitHub Desktop.
Different private/public key conversions GnuPG, OpenSSH and OpenSSL
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Source: http://www.sysmic.org/dotclear/index.php?post/2010/03/24/Convert-keys-betweens-GnuPG%2C-OpenSsh-and-OpenSSL | |
| # OpenSSH private keys are directly understable by OpenSSL. You can test for example: | |
| openssl rsa -in ~/.ssh/id_rsa -text | |
| openssl dsa -in ~/.ssh/id_dsa -text | |
| # So, you can directly use it to create a certification request: | |
| openssl req -new -key ~/.ssh/id_dsa -out myid.csr | |
| # You can also use your ssh key to create a sef-signed certificate: | |
| openssl x509 -req -days 3650 -in myid.csr -signkey ~/.ssh/id_rsa -out myid.crt | |
| # OpenSSL to OpenSSH | |
| # Private keys format is same between OpenSSL and OpenSSH. So you just a have to rename your OpenSSL key: | |
| cp myid.key id_rsa | |
| # In OpenSSL, there is no specific file for public key (public keys are generally embeded in certificates). However, you extract public key from private key file: | |
| ssh-keygen -y -f myid.key > id_rsa.pub | |
| # GnuPG to OpenSSH | |
| # The best way is to use openpgp2ssh tool distributed in with monkeyshpere project: | |
| gpg --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-keys --no-armor 0x01234567! | openpgp2ssh 01234567 > id_rsa | |
| # Notice 0x01234567 must be a RSA key (or subkey). | |
| # You can now extract ssh public key using: | |
| ssh-keygen -y -f id_rsa > id_rsa.pub | |
| # GnuPG to OpenSSL | |
| # We already saw all steps. Extract key as for ssh: | |
| gpg --export-options export-reset-subkey-passwd,export-minimal,no-export-attributes --export-secret-keys --no-armor 0x01234567! | openpgp2ssh 01234567 > myid.key | |
| # You can create a certification request: | |
| openssl req -new -key myid.key -out myid.csr | |
| # You can create a sef-signed certificate: | |
| openssl x509 -req -days 3650 -in myid.csr -signkey myid.key -out myid.crt | |
| # GnuPG S/MIME to OpenSSL | |
| # Gpgsm utility can exports keys and certificate in PCSC12: | |
| gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX | |
| # You have to extract Key and Certificates separatly: | |
| openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem | |
| openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem | |
| # You can now use it in OpenSSL. | |
| # You can also do similar thing with GnuPG public keys. There will be only certificates output. | |
| # OpenSSL to GnuPG S/MIME | |
| # Invert process: | |
| openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12 | |
| gpgsm --import gpg-key.p12 | |
| # GnuPG S/MIME to OpenSSH | |
| # Now, chain processes: | |
| gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX | |
| openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem | |
| # We need to protect key, else ssh refuse it. | |
| chmod 600 gpg-key.pem | |
| cp gpg-key.pem ~/.ssh/id_rsa | |
| ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub | |
| # OpenSSH to GnuPG S/MIME | |
| # First we need to create a certificate (self-signed) for our ssh key: | |
| openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem | |
| # We can now import it in GnuPG | |
| openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12 | |
| gpgsm --import ssh-key.p12 | |
| # Notice you cannot import/export DSA ssh keys to/from GnuPG |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment