Convert keys between GnuPG, OpenSsh and OpenSSL
Par Jérôme Pouiller le mercredi, mars 24 2010, 16:47 - Technique - Lien permanent
OpenSSH to OpenSSL
OpenSSH private keys are directly understable by OpenSSL. You can test for example:
openssl rsa -in ~/.ssh/id_rsa -text openssl dsa -in ~/.ssh/id_dsa -text
You can also convert then to PEM format easily (notice, format for SSH private keys and PEM is very close):
openssl rsa -in ~/.ssh/id_rsa -out key_rsa.pem openssl dsa -in ~/.ssh/id_dsa -out key_dsa.pem
So, you can directly use it to create a certification request:
openssl req -new -key ~/.ssh/id_dsa -out myid.csr
You can also use your ssh key to create a sef-signed certificate:
openssl x509 -req -days 3650 -in myid.csr -signkey ~/.ssh/id_rsa -out myid.crt
Notice I have not found how to manipulate ssh public key with OpenSSL
OpenSSL to OpenSSH
Private keys format is same between OpenSSL and OpenSSH. So you just a have to rename your OpenSSL key:
cp myid.key id_rsa
In OpenSSL, there is no specific file for public key (public keys are generally embeded in certificates). However, you extract public key from private key file:
ssh-keygen -y -f myid.key > id_rsa.pub
GnuPG to OpenSSH
First, you need to know fingerprint of your RSA key. You can use:
gpg --list-secret-keys --keyid-format short
Next, you can use openpgp2ssh
tool distributed in with monkeyshpere project:
gpg --export-secret-keys 01234567 | openpgp2ssh 01234567 > id_rsa
A few notes are necessary:
01234567
must be fingerprint of a RSA key (or subkey)gpg --export-secret-keys
also accept finger print of global key (in this case, it exports all sub-keys). However,openpgp2ssh
only accept finger print of an RSA key- If no arguments are provided,
openpgp2ssh
export RSA keys it find
You can now extract ssh public key using:
ssh-keygen -y -f id_rsa > id_rsa.pub
GnuPG to OpenSSL
We already saw all steps. Extract key as for ssh:
gpg --list-secret-keys --keyid-format short gpg --export-secret-keys 01234567 | openpgp2ssh 01234567 > myid.ke
You can can convert this key to PEM format:
openssl rsa -in myid.key -out myid.pem
You can create a certification request:
openssl req -new -key myid.key -out myid.csr
You can create a sef-signed certificate:
openssl x509 -req -days 3650 -in myid.csr -signkey myid.key -out myid.crt
GnuPG S/MIME to OpenSSL
Gpgsm utility can exports keys and certificate in PCSC12:
gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
You have to extract Key and Certificates separatly:
openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem
You can now use it in OpenSSL.
You can also do similar thing with GnuPG public keys. There will be only certificates output.
OpenSSL to GnuPG S/MIME
Invert process:
openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12 gpgsm --import gpg-key.p12
GnuPG S/MIME to OpenSSH
Now, chain processes:
gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
We need to protect key, else ssh refuse it.
chmod 600 gpg-key.pem cp gpg-key.pem ~/.ssh/id_rsa ssh-keygen -y -f gpg-key.pem > ~/.ssh/id_rsa.pub
OpenSSH to GnuPG S/MIME
First we need to create a certificate (self-signed) for our ssh key:
openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem
We can now import it in GnuPG
openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12 gpgsm --import ssh-key.p12
Notice you cannot import/export DSA ssh keys to/from GnuPG
Commentaires
Is a private key needed to convert a public OpenSSH key to a public GnuPG key? Thanks
OpenSSL is the main tool to translate OpenSSH key to GnuPG and I hadn't found any way to manipulate public OpenSSH keys using OpenSSL.
gpgsm does not seem to be capable of exporting generated keys....
$ gpg2
gen-keyexport.....
1024R/FFD0B47E 2012-08-02 ....
but then when you type
$ gpgsm -o secret-gpg-key.p12 --export-secret-key-p12 0xFFD0B47E
gpgsm: can't export key `0xFFD0B47E': No secret key
The secret key is there, and is exportable with gpg.
Anything I am missing here?
Merci beaucoup in advance....
here's another one:
convert gpg-agent keys to ssh-keys
foo is the hash of the key (you can cat it to find out which key path it was imported from). prepend the above line by space to avoid login the passphrase in history.
then (as per this guide, in fact)
note that with DSA or ECDSA keys, your mileage may vary.
The Monkeysphere project provides a tool called "openpgp2ssh".
http://web.monkeysphere.info/
This works well for going from GnuPG to OpenSSH:
gpg --export <keyID> | openpgp2ssh <keyID>
GnuPG to OpenSSL
assume you have a gpg key already:
Not sure how smart it is to do that, but it took me more than a day to figure that out.