OpenSSH has its own Private Key format. It doesn’t match with OpenSSL. But We can create or convert to a Openssl style private key.
Error message:
ssh-keygen -t rsa -b 4096
openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
unable to load Private Key
140735944156104:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY
Understanding OpenSSH key File
Openssh Key file is just a “PEM-like” format. There’s a “—–HEADER—–” and there’s Base64-encoded data. But that’s where the similarities end – the actual data structure found within that Base64 blob is completely different than that of PEM; it isn’t even using ASN.1 DER like typical “PEM” files do, but uses the SSH data format instead.
Openssh Key file Format:
BEGIN OPENSSH PRIVATE KEY: not “PEM”, contains SSH2-formatted data specific to OpenSSH
- Use ssh-keygen -p -m PEM (password change with the -m option) to do an in-place conversion of other SSH key types to PKCS#1 (PEM).
- use ssh-keygen -p -m PKCS8 to do in-place conversion to PKCS#8.
Understanding OpenSSL key File
BEGIN RSA PRIVATE KEY: known as “PEM” or “PKCS#1”, contains ASN.1 DER-formatted data
BEGIN PRIVATE KEY: “PKCS#8”, more versatile than PEM (can hold any algorithm), but still counts as “PEM” for most purposes (most tools will recognize both formats), contains ASN.1 DER-formatted data
BEGIN ENCRYPTED PRIVATE KEY: still PKCS#8 but password-encrypted
- Use openssl genpkey to create PKCS#8 format keys
- Use openssl genrsa to create PKCS#1 format keys
- Use openssl pkey to convert PKCS#1 to PKCS#8
How to fix unable to load Private Key
The ssh-keygen command used to output RSA private keys in the OpenSSL-style PEM or “bare RSA” or PKCS#1 format, but that’s no longer the default. Now OpenSSH has its own Private Key format.
We can still get it using the -m PEM option, and we can also get the PKCS#8 format using -m PKCS8. Both are OpenSSL-compatible (PKCS#8 is preferred nowadays.)
We can fix by adding -m PEM when generate keys. So the gen key command look like: ssh-keygen -t rsa -b 4096 -m PEM
Then we can get pem from our rsa private key. openssl rsa -in id_rsa -outform pem > id_rsa.pem
We can also convert a private key file id_rsa to the PEM format. ssh-keygen -p -m PEM -f ./id_rsa