How to create a public / private key pair using ssh-keygen on Linux

Home > Search > How-to

A trusted certificate is one that is purchased from a trusted certificate authority (CA), such as Internet facing production applications should use a certificate from a trusted CA. For non-production applications, a self-signed certificate can be used.  Applications, such as PuTTY, will complain when a self-signed certificate is used.

Three files will be created:

Type of file Default location
Private Key /root/.ssh/id_rsa
Public Certificate /root/.ssh/
Certificate Authority (CA) /root/.ssh/id_rsa.pem


Public certificate and private key

Use the ssh-keygen -t rsa command to create an RSA public certificate and private key. Use -t dsa to create a DSA public certificate and private key.

When prompted where to save the file, press enter to use the default file name and directory, or type your preferred directory and file name.

[root@server1 ~]# ssh-keygen -t rsa
Generating public/private rsa key pair.
Enter file in which to save the key (/home/jeremy.canfield/.ssh/id_rsa):


It is more secure to enter a passphrase, but adds a layer of complexity when it comes to automation.

Created directory '/root/.ssh'.
Enter passphrase (empty for no passphrase):


The public certificate and private key are created.

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
a6:4e:fd:17:67:69:19:b5:22:0a:16:53:cf:47:b3:b3 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
|        ..   o   |
|       o  o . o .|
|        o  o + ..|
|       o   ...+. |
|      . S . .E.+ |
|       + .  . *  |
|      o .    =   |
|     o   .  .    |
|      .   ..     |


For assurance that the id_rsa file conains the private key, view the content of the id_rsa file.  BEGIN RSA PRIVATE KEY should be displayed.

[root@server1 ~]# cat id_rsa


For assurance that the file contains the public certificate, view the content of the file. ssh-rsa should be displayed.

[root@server1 ~]# cat
ssh-rsa . . .


Certificate Authority (CA)

A certificate authority (CA) file is a file ending in .pem that contains the signed public certificate. The cat command and redirection can be used to create the CA file. Move the the /etc/pki/tls directory, and then create the certificate authority file.

[root@server1 ~]# cd /etc/pki/tls
[root@server1 ~]# cat /etc/pki/tls/certs/example.crt > example.pem


For assurance that the example.pem file contains the public certificate, view the content of the example.pem file. BEGIN CERTIFICATE should be displayed.

[root@server1 ~]# cat example.pem
----------BEGIN CERTIFICATE-----


Openssl can be used to ensure the CA file contains the signature.

[root@server1 ~]# openssl x509 -in /etc/pki/tls/certs/example.pem -text | grep Issuer
Issuer: C=US, ST=Florida, L=Miami, O=Acme Widgets, Inc., OU=Acme Widgets, Inc.,,

Add a Comment

We will never share your name or email with anyone. Enter your email if you would like to be notified when we respond to your comment.

Please enter in the box below so that we can be sure you are a human.