How to Generate Legacy RSA Private Key Format Using ssh-keygen (Instead of OPENSSH Format)


2 views

When running the standard RSA key generation command:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Modern OpenSSH versions (7.8+) default to the new OPENSSH private key format instead of the traditional PEM-style RSA format that many older systems expect.

The OpenSSH project migrated to the new format because:

  • Better security through modern encryption
  • Support for key comments within the file
  • Future-proofing for new algorithms

However, many legacy systems (CI/CD pipelines, older servers, certain cloud services) still require the classic RSA format.

Add the -m PEM flag to enforce traditional PEM encoding:

ssh-keygen -m PEM -t rsa -b 4096 -C "legacy@example.com"

The generated private key will now have the expected format:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,25737CC2C70BFABADB1B4598BD8AB9E9

MIIEpQIBAAKCAQEAz7vV9Jf9f6w47Zz6XhJ4Z5vJ8kHm2vYgKj3Xz5bN7w9yJ4F
...
-----END RSA PRIVATE KEY-----

If you already have an OPENSSH format key, convert it using:

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

This behavior varies by OpenSSH version:

OpenSSH Version Default Format
< 7.8 PEM (RSA format)
≥ 7.8 OPENSSH format

Check your current format with:

file ~/.ssh/id_rsa

It should return either "PEM RSA private key" or "OpenSSH private key".

When running the command:

ssh-keygen -t rsa -b 4096 -C "your_email@example.com"

Modern OpenSSH versions (7.8+) generate private keys in the new OPENSSH private key format by default:

-----BEGIN OPENSSH PRIVATE KEY-----
uTo43HGophPo5awKC8hoOz4KseENpgHDLxe5UX+amx8YrWvZCvsYRh4/wnwxijYx
...
-----END OPENSSH PRIVATE KEY-----

Many legacy systems and applications still expect the traditional PEM format:

-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,25737CC2C70BFABADB1B4598BD8AB9E9

uTo43HGophPo5awKC8hoOz4KseENpgHDLxe5UX+amx8YrWvZCvsYRh4/wnwxijYx
...
-----END RSA PRIVATE KEY-----

The difference occurs because OpenSSH 7.8+ introduced a more secure private key format that includes additional protection against key tampering.

To generate RSA keys in the legacy PEM format that applications expect, use the -m PEM flag:

ssh-keygen -m PEM -t rsa -b 4096 -C "your_email@example.com"

If you already have a key in OPENSSH format, you can convert it:

# First backup your original key
cp id_rsa id_rsa.backup

# Convert to PEM format
ssh-keygen -p -m PEM -f id_rsa

Check your key format with:

file id_rsa

For PEM format, it should show "PEM RSA private key". For OPENSSH format, it will show "OpenSSH private key".

The behavior difference between your Macs occurs because:

  • Older macOS versions shipped with OpenSSH < 7.8
  • Fresh installs get newer OpenSSH versions
  • Homebrew-installed OpenSSH may behave differently

Check your OpenSSH version with:

ssh -V

For maximum control, generate RSA keys with OpenSSL:

openssl genrsa -out id_rsa 4096
openssl rsa -in id_rsa -pubout -out id_rsa.pub

This will always produce traditional PEM format keys.

While the OPENSSH format is more secure, compatibility sometimes requires the PEM format. Always:

  • Use strong passphrases
  • Set proper file permissions (600 for private keys)
  • Consider using ssh-agent for key management