OpenSSH to OpenSSL

OpenSSH private keys are directly understable by OpenSSL. You can test for example:

openssl rsa -in ~/.ssh/id_rsa -text
openssl dsa -in ~/.ssh/id_dsa -text

You can also convert then to PEM format easily (notice, format for SSH private keys and PEM is very close):

openssl rsa -in ~/.ssh/id_rsa -out key_rsa.pem
openssl dsa -in ~/.ssh/id_dsa -out key_dsa.pem

So, you can directly use it to create a certification request:

openssl req -new -key ~/.ssh/id_dsa -out myid.csr

You can also use your ssh key to create a sef-signed certificate:

openssl x509 -req -days 3650 -in myid.csr -signkey ~/.ssh/id_rsa -out myid.crt

Notice I have not found how to manipulate ssh public key with OpenSSL

OpenSSL to OpenSSH

Private keys format is same between OpenSSL and OpenSSH. So you just a have to rename your OpenSSL key:

 cp myid.key id_rsa

In OpenSSL, there is no specific file for public key (public keys are generally embeded in certificates). However, you extract public key from private key file:

ssh-keygen -y -f  myid.key >

GnuPG to OpenSSH

First, you need to know fingerprint of your RSA key. You can use:

  gpg --list-secret-keys --keyid-format short

Next, you can use openpgp2ssh tool distributed in with monkeyshpere project:

 gpg --export-secret-keys 01234567 | openpgp2ssh 01234567 > id_rsa

A few notes are necessary:

  • 01234567 must be fingerprint of a RSA key (or subkey)
  • gpg --export-secret-keys also accept finger print of global key (in this case, it exports all sub-keys). However, openpgp2ssh only accept finger print of an RSA key
  • If no arguments are provided, openpgp2ssh export RSA keys it find

You can now extract ssh public key using:

ssh-keygen -y -f id_rsa >

GnuPG to OpenSSL

We already saw all steps. Extract key as for ssh:

  gpg --list-secret-keys --keyid-format short
  gpg --export-secret-keys 01234567 | openpgp2ssh 01234567 >

You can can convert this key to PEM format:

 openssl rsa -in myid.key -out myid.pem

You can create a certification request:

openssl req -new -key myid.key -out myid.csr

You can create a sef-signed certificate:

openssl x509 -req -days 3650 -in myid.csr -signkey myid.key -out myid.crt


Gpgsm utility can exports keys and certificate in PCSC12:

gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX

You have to extract Key and Certificates separatly:

openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem
openssl pkcs12 -in secret-gpg-key.p12 -nokeys -out gpg-certs.pem

You can now use it in OpenSSL.

You can also do similar thing with GnuPG public keys. There will be only certificates output.


Invert process:

openssl pkcs12 -export -in gpg-certs.pem -inkey gpg-key.pem -out gpg-key.p12
gpgsm --import gpg-key.p12


Now, chain processes:

 gpgsm -o  secret-gpg-key.p12 --export-secret-key-p12 0xXXXXXXXX
 openssl pkcs12 -in secret-gpg-key.p12 -nocerts -out gpg-key.pem

We need to protect key, else ssh refuse it.

 chmod 600 gpg-key.pem
 cp gpg-key.pem ~/.ssh/id_rsa
 ssh-keygen -y -f gpg-key.pem > ~/.ssh/


First we need to create a certificate (self-signed) for our ssh key:

openssl req -new -x509 -key ~/.ssh/id_rsa -out ssh-cert.pem

We can now import it in GnuPG

openssl pkcs12 -export -in ssh-certs.pem -inkey ~/.ssh/id_rsa -out ssh-key.p12
gpgsm --import ssh-key.p12

Notice you cannot import/export DSA ssh keys to/from GnuPG