Ah well. I tried to help. > which is .exe only on Windows
The OP said he was on Win 2K8. Charles -----Original Message----- From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Dave Thompson Sent: Friday, August 31, 2012 3:58 PM To: openssl-users@openssl.org Subject: RE: Creating a SSH Key pair - public and private for my Windows 2008 server app so it can communicate with a partner sftp site > From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Friday, 31 August, 2012 12:39 > To: openssl-users@openssl.org > Subject: RE: Creating a SSH Key pair - public and private for my > Windows 2008 server app so it can communicate with a partner sftp site > > You can do this with the openssl.exe utility. > > I am less than an expert but the doc is here: > http://www.openssl.org/docs/apps/openssl.html > > Take a look at openssl.exe req -newkey > Not really. req -newkey creates a keypair AND a CSR. A CSR is useless for SSH which uses no certificates. openssl commandline (which is .exe only on Windows) can generate a keypair with the traditional per-algorithm utilities like genrsa and gendsa (or dsaparam -genkey), or since 1.0.0 with the generic (and extensible) genpkey . But in both cases it creates files in OpenSSL-supported formats which may not be suitable for SSH software. In particular, the common OpenSSH implementation uses OpenSSL format for privatekey, but for publickey uses a format (basically base64 of several bignums) which OpenSSL doesn't know. The OpenSSH ssh-keygen utility can create this publickey format, or an RFC interchange format with PEM wrapper, from the OpenSSL privatekey, but ssh-keygen can also generate the keypair in the first place avoiding any explicit use of OpenSSL. Other SSH software I've seen usually doesn't use OpenSSL formats for either key. Usually it's best to use the keygen features of the SSH program(s). If that isn't available, but some kind of key-import is, we need to know exactly what format(s) that key-import accepts. Or on Windows possibly it uses the MS keystore, in which case the MS utilities (inetcpl and friends) can read PKCS12 (aka PFX) which OpenSSL commandline can create (in a second step). But OP still needs to send his publickey in a format the partner accepts, and I've never seen any SSH software that accepts OpenSSL format publickey. They commonly do accept the traditional and/or RFC format, which could be created with about a page of C or somewhat less perl; I recall someone posted code for that in the list a few years ago, if you want to search for it. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
