在较低版本中,忽略mit mm pem; Openssh 已经使用'旧格式。如果您已经在openssh'new'格式中生成的文件(即类似PEM的标签begin/end openssh private private键),则可以使用Change-password函数将其转换为“旧”格式:
ssh-keygen -p -m pem [-f private_file]
# you don't need to actually _change_ the password, you can enter
# same value for old and new, but it re-writes the file in 'old' format
Assuming you are talking about this yes it apparently wants an RSA key, not ed25519, and it wants an X.509 cert which can be self-signed containing the key, which is not 'converting' the key because the information in the cert is different from the information in the key, even though they confusingly and misleadingly describe it as being the public key.
The method they show is almost usable except that you want to generate the key in OpenSSH instead of OpenSSL -- although I don't know why, see below.
In OpenSSH 7.8 up, to generate RSA keypair in OpenSSH's 'old' format, which is (exactly) the same as OpenSSL's 'traditional' or 'legacy' format:
In lower versions omit -m pem; OpenSSH already uses 'old' format. If you already have a file generated in OpenSSH 'new' format (i.e. PEM-like labels BEGIN/END OPENSSH PRIVATE KEY) you can convert it to 'old' format by using the change-password function:
ssh-keygen -p -m pem [-f private_file]
# you don't need to actually _change_ the password, you can enter
# same value for old and new, but it re-writes the file in 'old' format
It's not clear to me if GCP wants specifically PKCS8 unencrypted (clear) format for the privatekey rather than OpenSSL's 'traditional' format; the examples all are PKCS8. If it does, use:
openssl pkey -in private_trad -out private_pkcs8
# or in ancient versions (0.9.x)
openssl pkcs8 -topk8 -nocrypt -in private_trad -out private_pkcs8
To create the cert for the public key of this keypair, use the private key file (in either traditional or pkcs8), in a slight modification of the command GCP shows:
But if you want to use the same key for SSH and GCP, it's easier to go the other direction -- generate the keypair and cert with openssl req -newkey -keyout -nodes ..., as they show, and then use that key in OpenSSH. But you didn't ask that, so I can't give you the answer, which is that OpenSSH can already use any OpenSSL-format privatekey and requires only ssh-keygen -y to create the OpenSSH-format publickey.
发布评论
评论(1)
前提显然需要一个RSA键,而不是ED25519,并且需要一个X.509证书,该证书可以被自签名包含键,而不是“转换”键,因为证书中的信息是不同的从密钥中的信息中,即使它们令人困惑和误导地将其描述为公钥。
他们显示的方法几乎是可用的,除了您要在OpenSSH中生成键,而不是OpenSSL - 尽管我不知道为什么,请参见下面。
在OpenSSH 7.8中,以在Openssh的“旧”格式中生成RSA Keypair,该格式(完全)与OpenSSL的“传统”或“传统”或“传统”格式相同:
在较低版本中,忽略
mitmm pem; Openssh 已经使用'旧格式。如果您已经在openssh'new'格式中生成的文件(即类似PEM的标签begin/end openssh private private键),则可以使用Change-password函数将其转换为“旧”格式:我尚不清楚GCP是否希望专门为私人关键而不是openssl的“传统”格式进行专门重合(清晰)格式的PKCS8; 示例都是PKCS8。如果确实如此,请使用:
为此Keypair的公钥创建证书,请使用 private 键文件(在传统或pkcs8中),在对命令GCP的稍作修改中显示:
但是您想对SSH和GCP使用相同的键,使用
openssl req -newkey -ekeyout生成Keypair 和 CERT会更容易浏览另一个方向- -Nodes ...,如它们所示,然后在OpenSSH中使用该键。但是您没有问这个问题,所以我不能给您答案,那就是Openssh可以使用任何 openssl-format privateKey,只需要ssh-keygen -y-y 创建Openssh-Format PublicKey。Assuming you are talking about this yes it apparently wants an RSA key, not ed25519, and it wants an X.509 cert which can be self-signed containing the key, which is not 'converting' the key because the information in the cert is different from the information in the key, even though they confusingly and misleadingly describe it as being the public key.
The method they show is almost usable except that you want to generate the key in OpenSSH instead of OpenSSL -- although I don't know why, see below.
In OpenSSH 7.8 up, to generate RSA keypair in OpenSSH's 'old' format, which is (exactly) the same as OpenSSL's 'traditional' or 'legacy' format:
In lower versions omit
-m pem; OpenSSH already uses 'old' format. If you already have a file generated in OpenSSH 'new' format (i.e. PEM-like labelsBEGIN/END OPENSSH PRIVATE KEY) you can convert it to 'old' format by using the change-password function:It's not clear to me if GCP wants specifically PKCS8 unencrypted (clear) format for the privatekey rather than OpenSSL's 'traditional' format; the examples all are PKCS8. If it does, use:
To create the cert for the public key of this keypair, use the private key file (in either traditional or pkcs8), in a slight modification of the command GCP shows:
But if you want to use the same key for SSH and GCP, it's easier to go the other direction -- generate the keypair and cert with
openssl req -newkey -keyout -nodes ..., as they show, and then use that key in OpenSSH. But you didn't ask that, so I can't give you the answer, which is that OpenSSH can already use any OpenSSL-format privatekey and requires onlyssh-keygen -yto create the OpenSSH-format publickey.