How to Extract SSH Key Fingerprint from PEM Format Private Keys (RSA/DSA/ECDSA)


2 views

When working with SSH authentication, you'll often encounter private keys in different formats. The PEM (Privacy Enhanced Mail) format is particularly common in various infrastructure tools, though it presents some compatibility issues with SSH utilities.

The standard ssh-keygen -l -f command expects OpenSSH's native private key format or a public key file. PEM-formatted private keys use different encapsulation:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAz6J4lfZR2...
-----END RSA PRIVATE KEY-----

This differs from OpenSSH's encrypted private key format which includes encryption metadata:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,0123456789ABCDEF
...
-----END RSA PRIVATE KEY-----

The most reliable method is to extract the public key from the PEM file:

# For RSA keys:
openssl rsa -in query.pem -pubout > query.pub
ssh-keygen -l -f query.pub

# For ECDSA keys:
openssl ec -in query.pem -pubout > query.pub
ssh-keygen -l -f query.pub

For systems with OpenSSL 1.1.1+ (2018 release), you can compute the fingerprint directly:

openssl pkey -in query.pem -pubout -outform DER | \
openssl md5 -c | \
awk '{print $2}' | \
tr -d ':'

Convert the PEM to OpenSSH format temporarily:

ssh-keygen -p -m PEM -f query.pem  # Convert to OpenSSH format
ssh-keygen -l -f query.pem         # Get fingerprint
ssh-keygen -p -m RFC4716 -f query.pem # Convert back if needed

For password-protected PEM files, use:

openssl rsa -in encrypted.pem -pubout -passin pass:yourpassword | \
ssh-keygen -l -f /dev/stdin

Note that different tools may display fingerprints differently:

  • ssh-add -l: SHA1 with colons (XX:XX:XX...)
  • ssh-keygen -l -E md5: MD5 with colons
  • ssh-keygen -l -E sha256: Base64 SHA256

Always specify the hash algorithm when comparing fingerprints across systems.

When working with SSH authentication, you'll often encounter private keys in different formats. The PEM (Privacy Enhanced Mail) format is particularly common in various systems, but it presents a unique challenge when trying to extract its fingerprint through standard SSH tools.

For typical OpenSSH private keys, you'd simply run:

ssh-keygen -l -f ~/.ssh/id_rsa

However, with PEM format private keys (like those generated by OpenSSL), this command fails with errors:

ssh-keygen -l -f query.pem
key_read: uudecode PRIVATE KEY----- failed
key_read: uudecode PRIVATE KEY----- failed
./query.pem is not a public key file.

Method 1: Using OpenSSL to Derive the Public Key

Convert the PEM private key to public key format first:

openssl rsa -in query.pem -pubout -outform PEM > query.pub
ssh-keygen -l -f query.pub

Method 2: Direct Fingerprint Calculation

For a more direct approach without intermediate files:

openssl rsa -in query.pem -pubout | ssh-keygen -l -f /dev/stdin

The fingerprint output will look like:

2048 SHA256:AbCdEfGh...123456 query.pem (RSA)

Where:

  • 2048 indicates the key length in bits
  • SHA256:... shows the fingerprint hash

You can specify different hash algorithms:

openssl rsa -in query.pem -pubout | ssh-keygen -l -E md5 -f /dev/stdin
openssl rsa -in query.pem -pubout | ssh-keygen -l -E sha256 -f /dev/stdin
openssl rsa -in query.pem -pubout | ssh-keygen -l -E sha512 -f /dev/stdin