Reputation: 517
I'm writing a tool to create new Amazon Web Services servers, using the AWS Java API. When you create a server, you have to specify which SSH keypair to use out of the public keys AWS has stored with your account. You can generate the keypair yourself and import the public key, or you can have AWS generate the keypair and you download the private key.
I'm trying to generate the keypair myself, import the public key into AWS, start the new server using the newly registered keypair entry and save the private key locally. I then want to use Putty to ssh into my new server, using the private key, possibly passing it through Puttygen first to convert it.
So far, I have got as far as generating my keypair, successfully importing the public key into AWS and starting a new server. However, I can't for the life of me seem to be able to export the private key in any format Putty or Puttygen will accept.
Here's my code to generate the keypair and save the private key:
SecureRandom random = SecureRandom.getInstance("SHA1PRNG", "SUN");
random.nextBytes(new byte[]{}); //toss out the first result to ensure it seeds randomly from the system.
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(KEY_LENGTH, random);
KeyPair keyPair = keyGen.genKeyPair();
BASE64Encoder encoder = new BASE64Encoder();
FileOutputStream out = null;
File keyPath = new File(_keyStorageDir, "private.pem");
out = new FileOutputStream(keyPath);
if(out != null)
However, when I try to import the key in PuttyGen, I get "Couldn't load key (not a private key)". If I try adding -----BEGIN PRIVATE KEY----- and its corresponding footer I get "Couldn't load private key (unrecognised key type). If I try RSA PRIVATE KEY I get "Couldn't load private key (ASN.1 decoding failure)".
Calling keyPair.getPrivate().getFormat()
yields "PKCS#8". While I've found references to converting from that format to pem format using OpenSSL tools, I haven't found anything on how to actually do it myself in Java.
How can I export the key in pem format so that Puttygen can read it?
Upvotes: 4
Views: 5282
Reputation: 39000
Not needed now but FYI or anyone else, Puttygen imports either:
the formats used by OpenSSH (always until recently, and still by default) which are the original aka 'legacy' formats defined by OpenSSL before it implemented PKCS#8 -- for RSA this is PKCS#1 which is equivalent to part of PKCS#8;
or the format used by 'commercial' SSH.COM which is wholly unlike PKCS#8.
Thus you could
get PKCS#8 from RSAPrivateKey.getEncoded()
, parse the bytes of PKCS#8 to get the PKCS#1 part, and base64/PEMify that. This is effectively what the recommendations you may have found to use openssl rsa -in pkcs8 -out rsa
But the approach you found (with Bouncy) is easier. And would be more so for DSA or ECDSA if you wanted to use those (preferably only with Java 8+ which supports DSA sizes over 1024 consistent with 186-3 and current good practice).
Upvotes: 1
Reputation: 517
The trick is to use Bouncycastle's pem handling classes. Here's a working demo:
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
public class Main
public static final int KEY_LENGTH = 2048;
public static void main(String[] args) throws Exception
SecureRandom random = SecureRandom.getInstance("SHA1PRNG", "SUN");
random.nextBytes(new byte[]{}); //toss out the first result to ensure it seeds randomly from the system.
KeyPairGenerator keyGen = KeyPairGenerator.getInstance("RSA");
keyGen.initialize(KEY_LENGTH, random); keyPair = keyGen.genKeyPair();
System.out.println("public format: " + keyPair.getPublic().getFormat());
System.out.println("public algorithm: " + keyPair.getPublic().getAlgorithm());
System.out.println("private format: " + keyPair.getPrivate().getFormat());
System.out.println("private algorithm: " + keyPair.getPrivate().getAlgorithm());
JcaPEMWriter writer = null;
File keyDir = new File("C:/misc/test_key");
writer = new JcaPEMWriter(new FileWriter(new File(keyDir, "private_bc.pem")));
if(writer != null)
Puttygen opens the resulting private key without complaint!
Upvotes: 2