Bootstrap FreeKB - SSH - Create a public / private key pair using the ssh-keygen command
SSH - Create a public / private key pair using the ssh-keygen command

Updated:   |  SSH articles

The ssh-keygen command is used to create a public certificate and private key pair. The key pair is intended to be used for making a connection to an SSH server. By default, an RSA keypair will be created.

~]# ssh-keygen
Generating public/private rsa key pair.


Or, the following one liner can be used so that you are not prompted for input.

  • -t (type) such as rsa or dsa or ed25519
  • -b (bits) such as 1024 or 2048 or 4096
  • -N (no passphrase)
  • -C (comment)
  • -f (key file) such as /home/john.doe/.ssh/id_rsa
  • <<< is used to not overwrite id_rsa and if they already exist
  • 2>&1 >/dev/null suppresses output
ssh-keygen -t rsa -b 4096 -N '' -C $(whoami)@$(hostname) -f $HOME/.ssh/id_rsa 2>&1 >/dev/null


If you do not include the -m PEM option, line 1 of the private key file (id_rsa) will contain the following.



If you include the -m PEM option, line 1 of the private key file will contain the following.



If the private key already exists, such as id_rsa, you can create the public certificate using the private key, like this.

ssh-keygen -y -f /home/john.doe/.ssh/id_rsa > /home/john.doe/.ssh/


It is always recommended to secure the keypair with a strong, unique passphrase.

Created directory '/home/john.doe/.ssh'.
Enter passphrase (empty for no passphrase):


The public certificate and private key are created.

Your identification has been saved in /root/.ssh/id_rsa.
Your public key has been saved in /root/.ssh/
The key fingerprint is:
a6:4e:fd:17:67:69:19:b5:22:0a:16:53:cf:47:b3:b3 root@server1
The key's randomart image is:
+--[ RSA 2048]----+
|        ..   o   |
|       o  o . o .|
|        o  o + ..|
|       o   ...+. |
|      . S . .E.+ |
|       + .  . *  |
|      o .    =   |
|     o   .  .    |
|      .   ..     |


Configure the .ssh directory to only the directory owner (john.doe in this example) has read/write/execute permission, and configure the public/private key pair so that only the onwer has read/write permission.

chmod 700 /home/john.doe/.ssh
chmod 600 /home/john.doe/.ssh/id_rsa
chmod 600 /home/john.doe/.ssh/


Optionally, use the ssh-add command to store your identity in the keychain.

eval `ssh-agent -s`
ssh-add /home/john.doe/.ssh/id_rsa


The content of will be something like this (without the line breaks).

ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAqphOmkv0RPMn48EwCRED/eSSYsbyrRlxymWdEA/
K6w== john.doe@client


If your SSH server is OpenSSH, you can add the public certificate to the authorized_keys file on the OpenSSH server. If the OpenSSH server is configured to accept connection using a public / private key pair, you should be able to connect to the OpenSSH server with the public / private key pair you just created.


Did you find this article helpful?

If so, consider buying me a coffee over at Buy Me A Coffee


Add a Comment

Please enter ecf1bb in the box below so that we can be sure you are a human.