1. Overview

In this tutorial, we’ll look at the steps to generate a public key from an existing private key. Specifically, we’ll showcase two different command-line tools for generating the associated public key from a private key.

2. Generate a Public Key from a Private Key Using ssh-keygen

2.1. Installing ssh-keygen

To obtain the ssh-keygen program, we’ll install the openssh-client with our package manager.

For example, in Ubuntu Linux, we perform the installation using apt-get install:

$ sudo apt-get update -qq
$ sudo apt-get install -y openssh-client

2.2. Extracting the Public Key Using ssh-keygen

We can invoke the ssh-keygen command on our private key, followed by the -y option to generate the associated public key:

$ ssh-keygen -f rsa.pem -y
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+xkWG+Qe6HXgXNRRprik+YFoa80sqoVe...

The command above uses the -f option to specify the path to the private key. Then, we specify the -y option to print the public key to the console.

2.3. Converting  the Public Key to Different Formats

By default, the ssh-keygen generates the public key in the OpenSSH format. We can convert the public key into different formats using the -e and -m options. Specifically, the -e option tells ssh-keygen to display the public key in the format specified by the -m option. The valid formats to which we can convert the public key are rfc4716pkcs8, and pem.

Note that the pem format here refers to the PKCS#1 format instead of the PEM encoding.

Let’s display the public key in RFC4716 format by running the same command followed by -e and -m rfc4716:

$ ssh-keygen -f rsa.pem -y -e -m rfc4716
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "2048-bit RSA, converted by user@922ba453f054 from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABAQC+xkWG+Qe6HXgXNRRprik+YFoa80sqoVeanP8rr2
DZvGhGwQC950p49KElfqXePICM0Mx1sH7sQTG9XhXYLEM5ZtUYvwWSBUsH1e2qjiodtlSE
gVYJt9hS9EB1jPcdwaVMh1/WOc90ilreJMvyavv0bxPJahCnJlUYocK7UgMKK1dzK62fY0
QqRJuvlntC8mPtLSAAF0BLlU7BK5wcl626iZfVC/mmV2xO7MqT/NrztqnHSdJ9p5G43rVh
mWnjyVRalDHlRgbgQHBRq/nj3L1nd4CByEURfWqMjsjyBVgGw2WPIt1UpaxBW2z2vf5NMj
rfU6PHnV34HtvNQp1vE0G5
---- END SSH2 PUBLIC KEY ----

Similarly, we can display the public key in PKCS#8 or PEM format by specifying the argument pkcs8 and pem, respectively:

$ ssh-keygen -f rsa.pem -y -e -m pkcs8
$ ssh-keygen -f rsa.pem -y -e -m pem

3. Generate a Public Key from a Private Key Using openssl

3.1. Obtaining openssl

By default, openssl comes with most of the Linux distros. To verify that the o**penssl command is present, we can run the openssl version command:

$ openssl version
OpenSSL 1.1.1f  31 Mar 2020

If the command results in a “command not found” error on the console, then we’ll need to build it manually. The step-by-step guide can be found in the official OpenSSL team’s repository on GitHub.

3.2. Getting the Public Key using openssl

To extract the public key of a private key file rsa.pem, we can use the openssl pkey subcommand:

$ openssl pkey -in rsa.pem -pubout
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvsZFhvkHuh14FzUUaa4p
PmBaGvNLKqFXmpz/K69g2bxoRsEAvedKePShJX6l3jyAjNDMdbB+7EExvV4V2CxD
OWbVGL8FkgVLB9Xtqo4qHbZUhIFWCbfYUvRAdYz3HcGlTIdf1jnPdIpa3iTL8mr7
9G8TyWoQpyZVGKHCu1IDCitXcyutn2NEKkSbr5Z7QvJj7S0gABdAS5VOwSucHJet
uomX1Qv5pldsTuzKk/za87apx0nSfaeRuN61YZlp48lUWpQx5UYG4EBwUav549y9
Z3eAgchFEX1qjI7I8gVYBsNljyLdVKWsQVts9r3+TTI631Ojx51d+B7bzUKdbxNB
uQIDAQAB
-----END PUBLIC KEY-----

4. Conclusion

In this article, we’ve looked at how we can generate the public key from a given private key using different command-line tools.

We’ve started by demonstrating the ssh-keygen command, which allows us to also convert the public key into different formats in addition to generating it. Then, we’ve also shown the openssl pkey command for obtaining the public key from the private key.