SSH - Create a public / private key pair using the ssh-keygen command

The ssh-keygen command is used to create a public certificate and private key pair. The key pair is intended to be used for making a connection to an SSH server. By default, an RSA keypair will be created.

~]# ssh-keygen
Generating public/private rsa key pair.


Or, the following command line options can be used so that you are not prompted for input.

  • -t (type) such as rsa or dsa
  • -N (no passphrase)
  • -C (no comment)
  • -f (key file) such as /home/john.doe/.ssh/id_rsa
  • <<< n is used to not overwrite id_rsa and if they already exist
  • 2>&1 >/dev/null suppresses output
ssh-keygen -t rsa -N '' -C '' -f /home/john.doe/.ssh/id_rsa <<< n 2>&1 >/dev/null


If you do not include the -m PEM option, line 1 of the private key file (id_rsa) will contain the following.



If you include the -m PEM option, line 1 of the private key file will contain the following.



If the private key already exists, such as id_rsa, you can create the public certificate using the private key, like this.

ssh-keygen -y -f /home/john.doe/.ssh/id_rsa > /home/john.doe/.ssh/


It is always recommended to secure the keypair with a strong, unique passphrase.

Created directory '/home/john.doe/.ssh'.
Enter passphrase (empty for no passphrase):


The public certificate and private key are created.

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
a6:4e:fd:17:67:69:19:b5:22:0a:16:53:cf:47:b3:b3 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
|        ..   o   |
|       o  o . o .|
|        o  o + ..|
|       o   ...+. |
|      . S . .E.+ |
|       + .  . *  |
|      o .    =   |
|     o   .  .    |
|      .   ..     |


Configure the .ssh directory to only the directory owner (john.doe in this example) has read/write/execute permission, and configure the public/private key pair so that only the onwer has read/write permission.

chmod 700 /home/john.doe/.ssh
chmod 600 /home/john.doe/.ssh/id_rsa
chmod 600 /home/john.doe/.ssh/


Optionally, use the ssh-add command to store your identity in the keychain.

eval `ssh-agent -s`
ssh-add /home/john.doe/.ssh/id_rsa


The content of will be something like this (without the line breaks).

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqphOmkv0RPMn48EwCRED/eSSYsbyrRlxymWdEA/
K6w== john.doe@client


If your SSH server is OpenSSH, you can add the public certificate to the authorized_keys file on the OpenSSH server. If the OpenSSH server is configured to accept connection using a public / private key pair, you should be able to connect to the OpenSSH server with the public / private key pair you just created.


Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter 3ef22 in the box below so that we can be sure you are a human.


Web design by yours truely - me, myself, and I   |   |