Skip to Content

How to fix unable to load Private Key

OpenSSH has its own Private Key format. It doesn’t match with OpenSSL. But We can create or convert to a Openssl style private key.

Error message:
ssh-keygen -t rsa -b 4096
openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem
unable to load Private Key
140735944156104:error:0906D06C:PEM routines:PEM_read_bio:no start line:/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-22.50.2/libressl/crypto/pem/pem_lib.c:704:Expecting: ANY PRIVATE KEY

Understanding OpenSSH key File

Openssh Key file is just a “PEM-like” format. There’s a “—–HEADER—–” and there’s Base64-encoded data. But that’s where the similarities end – the actual data structure found within that Base64 blob is completely different than that of PEM; it isn’t even using ASN.1 DER like typical “PEM” files do, but uses the SSH data format instead.

Openssh Key file Format:
BEGIN OPENSSH PRIVATE KEY: not “PEM”, contains SSH2-formatted data specific to OpenSSH

  • Use ssh-keygen -p -m PEM (password change with the -m option) to do an in-place conversion of other SSH key types to PKCS#1 (PEM).
  • use ssh-keygen -p -m PKCS8 to do in-place conversion to PKCS#8.

Understanding OpenSSL key File

BEGIN RSA PRIVATE KEY: known as “PEM” or “PKCS#1”, contains ASN.1 DER-formatted data
BEGIN PRIVATE KEY: “PKCS#8”, more versatile than PEM (can hold any algorithm), but still counts as “PEM” for most purposes (most tools will recognize both formats), contains ASN.1 DER-formatted data
BEGIN ENCRYPTED PRIVATE KEY: still PKCS#8 but password-encrypted

  • Use openssl genpkey to create PKCS#8 format keys
  • Use openssl genrsa to create PKCS#1 format keys
  • Use openssl pkey to convert PKCS#1 to PKCS#8

How to fix unable to load Private Key

The ssh-keygen command used to output RSA private keys in the OpenSSL-style PEM or “bare RSA” or PKCS#1 format, but that’s no longer the default. Now OpenSSH has its own Private Key format.

We can still get it using the -m PEM option, and we can also get the PKCS#8 format using -m PKCS8. Both are OpenSSL-compatible (PKCS#8 is preferred nowadays.)

We can fix by adding -m PEM when generate keys. So the gen key command look like:

ssh-keygen -t rsa -b 4096 -m PEM

Then we can get pem from our rsa private key.

openssl rsa -in id_rsa -outform pem > id_rsa.pem

We can also convert a private key file id_rsa to the PEM format.

ssh-keygen -p -m PEM -f ./id_rsa

오피

Saturday 3rd of June 2023

Pretty! This was an extremely wonderful post. Thank you for providing these details.