The ssh-keygen command is used to create a public certificate and private key pair. The key pair is intended to be used for making a connection to an SSH server. By default, an RSA keypair will be created.

~]# ssh-keygen
Generating public/private rsa key pair.

Or, the following one liner can be used so that you are not prompted for input.

• -t (type) such as rsa or dsa or ed25519
• -b (bits) such as 1024 or 2048 or 4096
• -N (no passphrase)
• -C (comment)
• -f (key file) such as /home/john.doe/.ssh/id_rsa
• <<< id_rsa.pub is used to not overwrite id_rsa and id_rsa.pub if they already exist
• 2>&1 >/dev/null suppresses output

ssh-keygen -t rsa -b 4096 -N '' -C $(whoami)@$(hostname) -f $HOME/.ssh/id_rsa 2>&1 >/dev/null

If you do not include the -m PEM option, line 1 of the private key file (id_rsa) will contain the following.

-----BEGIN OPENSSH PRIVATE KEY-----

If you include the -m PEM option, line 1 of the private key file will contain the following.

-----BEGIN RSA PRIVATE KEY-----

If the private key already exists, such as id_rsa, you can create the public certificate using the private key, like this.

ssh-keygen -y -f /home/john.doe/.ssh/id_rsa > /home/john.doe/.ssh/id_rsa.pub

It is always recommended to secure the keypair with a strong, unique passphrase.

Created directory '/home/john.doe/.ssh'.
Enter passphrase (empty for no passphrase):

The public certificate and private key are created.

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/id_rsa.pub.
The key fingerprint is:
a6:4e:fd:17:67:69:19:b5:22:0a:16:53:cf:47:b3:b3 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
|        ..   o   |
|       o  o . o .|
|        o  o + ..|
|       o   ...+. |
|      . S . .E.+ |
|       + .  . *  |
|      o .    =   |
|     o   .  .    |
|      .   ..     |
+-----------------+

Configure the .ssh directory to only the directory owner (john.doe in this example) has read/write/execute permission, and configure the public/private key pair so that only the onwer has read/write permission.

chmod 700 /home/john.doe/.ssh
chmod 600 /home/john.doe/.ssh/id_rsa
chmod 600 /home/john.doe/.ssh/id_rsa.pub

Optionally, use the ssh-add command to store your identity in the keychain.

eval `ssh-agent -s`
ssh-add /home/john.doe/.ssh/id_rsa

The content of id_rsa.pub will be something like this (without the line breaks).

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqphOmkv0RPMn48EwCRED/eSSYsbyrRlxymWdEA/
rYuq4eqZAVzTYxJxnTuCTLnrr5hvVMYstcEnwFB+uXZut8UoCtOlrqA7gyy0EjdRh1qay1YXIbB
QZxpHDmAy9D3aSDoa5sVwrC1GQzNN4nH58pGnoGF+Df/A76LlZeBfmO1hP/a7hLIf8L+2o4LfKM
NBvqf37tlYDOKUA+mU+XSCmBbMk3/4UgYxuQ3HdE8w5RhFZf9Mbvb5GqubCy7N8zp6v/hRRfT0j
pWqR8kr2qauQttd9+q1n5pKCCjUO+/+jeLDdhtJ7Pls8O7motxJoNsqxKof1lJKvtt44VxYpdoY
K6w== john.doe@client

If your SSH server is OpenSSH, you can add the public certificate to the authorized_keys file on the OpenSSH server. If the OpenSSH server is configured to accept connection using a public / private key pair, you should be able to connect to the OpenSSH server with the public / private key pair you just created.