Secure Shell (SSH) Public Key Converter

Introduction

An SSH public key is the shareable half of a keypair. You may see the same key as a one-line OpenSSH entry, an RFC 4716 SSH2 block, or a PEM PUBLIC KEY block from another library or control panel. The wrappers look different, but they can still describe the same public key.

This converter accepts one public key, identifies the source format, reads the algorithm and size, calculates SHA-256 and MD5 fingerprints, and rebuilds equivalent OpenSSH, SSH2, and PEM output. It is most useful when a server expects one representation, a support ticket shows another, and you need a quick identity check before copying the key into a live system.

A common handoff looks like this: one person has ssh-ed25519 AAAA... alice@laptop, another system wants an SSH2 public key file, and a library or API exports only PEM text. The safe question is not whether the text layout changed. It is whether the underlying public key stayed the same, which is what the fingerprint comparison settles.

Processing stays in the browser for this slug. There is no server-side helper, so conversion, hashing, CSV export, DOCX export, and JSON export happen locally. Public keys are not secret in the same way private keys are, but this page still mirrors the pasted key, comment override, and wrap setting into the URL query string, so copied links, browser history, and screenshots can expose operational details.

Technical Details

The key identity check here is built around the SSH public key blob. OpenSSH lines already carry that blob after the key type. SSH2 and PEM inputs must be unwrapped first, and PEM public keys may need to be translated from SubjectPublicKeyInfo or PKCS#1 RSA form back into the SSH structure. Once the page has that canonical SSH blob, it can read the key parameters, calculate fingerprints, and write alternate wrappers without changing the key itself.

One public key
-> normalize to the SSH public key blob
-> read algorithm, size, curve, and comment state
-> hash the blob for SHA-256 and MD5 fingerprints
-> rewrap the same key as OpenSSH, SSH2, and PEM

The current parser is deliberately narrower than the full SSH ecosystem. OpenSSH input must begin with ssh-rsa, ssh-ed25519, or ecdsa-sha2-.... The page also stops after the first detected key and reports the rest as ignored items instead of batching them, which prevents mixed results but means cleanup work should be done one key at a time.

The SSH2 path is stricter than the RFC format as a whole. RFC 4716 defines begin and end markers, wrapped base64 body lines, and RFC822-style headers. This page reads the standard markers, the base64 body, and a quoted Comment: header, but it does not implement general header parsing or multiline header continuations. The wrap control lets you choose 40 to 128 characters for generated SSH2 body lines, with a default of 70. That default stays inside RFC 4716's 72-byte line limit.

Fingerprint output is based on the SSH public key blob, not on wrapper text and not on the comment. That is why a comment override can change the generated OpenSSH line or SSH2 block while the SHA-256 and MD5 values stay the same. The export surfaces are separated by purpose too: metadata can be copied as CSV or exported as DOCX, converted formats and conversion trace can be copied or downloaded as CSV, and the JSON tab bundles the same run into one structured record.

Everyday Use & Decision Guide

Start with the destination, not the extension. If you need something that can go straight into authorized_keys or a cloud access field, the OpenSSH line is usually the right copy target. If another SSH product asks for an SSH2 or RFC 4716 public key file, use the wrapped SSH2 block. If a library, API, or crypto tool expects PEM, use the PUBLIC KEY output.

Read the Key Metadata tab before you copy anything. Detected Source tells you which parser path succeeded. Type, Bits, and Curve confirm that the key family is what you expected. SHA256 Fingerprint is the best field to compare with another system or with ssh-keygen -l, while the MD5 value is mainly there for older interfaces that still show colon-separated MD5 fingerprints.

The comment override is a presentation control, not a key-editing control. It changes the comment field in generated OpenSSH and SSH2 output, but it does not alter the public key bytes or either fingerprint. PEM output does not carry an SSH comment, so a blank comment after PEM input is normal unless you add one for the generated SSH-formatted results.

Paste a single bare key when accuracy matters. If you copied a full authorized_keys line with leading options, remove those options first so the line starts with the key type. If you paste several keys or several blocks at once, the page analyzes only the first detected item and warns about the rest.

Step-by-Step Guide

1. Paste one public key into the text area or load one file. If the source came from authorized_keys, remove any leading options so the line starts with the key type itself.
2. Open the advanced panel only if you need a different comment on generated SSH output or a different line width for the SSH2 block.
3. Check the summary badge and the Key Metadata tab first. Make sure the detected source, type, size, curve, and comment state match what you expected to convert.
4. Compare the SHA-256 fingerprint against another trusted display before you paste the rewritten key anywhere important. Use the MD5 value only when the other system still reports legacy MD5 fingerprints.
5. Move to Converted Formats after the metadata looks right. Copy the OpenSSH line, the SSH2 block, or the PEM PUBLIC KEY text that matches the target system.
6. Use Conversion Trace or JSON when you need evidence for a ticket, review note, or handoff. Clear or replace the input before sharing a link or screenshot if you do not want the current page state in the URL.

Interpreting Results

Detected Source names the parser route that succeeded: OpenSSH, SSH2, or PEM. A PEM result can come from either a generic PUBLIC KEY block or an RSA-specific RSA PUBLIC KEY block, but the output surface still standardizes the PEM export as PUBLIC KEY.

Type, Bits, and Curve describe the public key itself, not its wrapper. For RSA keys the bit count comes from the modulus. For ECDSA keys the curve name tells you whether the page recognized nistp256, nistp384, or nistp521. Ed25519 is always shown as 256 bits.

SHA256 Fingerprint is the field to trust first when checking whether two differently wrapped keys are really the same. The OpenBSD ssh-keygen tools use SHA-256 as the default fingerprint display, which is why that value is the best practical comparison target. MD5 Fingerprint is there for older displays and compatibility checks, not because it is the stronger signal.

Converted Formats should be read as alternate serializations of the same public key. Rewrapping a key into PEM does not turn it into a certificate, and rewrapping PEM into OpenSSH does not add authorization options or account scope. The page is only changing how the same public key is written.

Conversion Trace and JSON explain what happened during the run. They show how many items were inspected, how many were ignored, the active wrap column, the active comment override, any warnings, and the same converted values that appear elsewhere on the page.

Worked Examples

1. PEM public key to OpenSSH server access

   A cloud console or crypto library gives you a PEM PUBLIC KEY block, but the destination wants a one-line SSH public key. Paste the PEM text, confirm the type and SHA-256 fingerprint, then copy the OpenSSH result.

   The key bytes stay the same. Only the wrapper changes, so the fingerprint becomes the bridge between the PEM source and the SSH-native destination.

2. SSH2 block from an appliance or vendor document

   A network device or vendor guide provides an SSH2 public key block with a quoted Comment: header. Paste the block, keep or override the comment, then copy the OpenSSH line or PEM block required by the next system.

   If you also need a compact audit note, export the metadata table or JSON so the fingerprint and key type travel with the converted text.

3. Binary .der or .cer public-key file

   A file arrives with a binary extension instead of text. Drop it onto the page or load it through the file picker. If the bytes are really a supported public key, the page can rebuild OpenSSH, SSH2, and PEM output from that data.

   If parsing fails, the file is often a certificate or another unsupported structure rather than a bare public key. In that case the extension alone was not enough to tell you what it contained.

FAQ

Glossary

OpenSSH public key

A one-line SSH public key such as ssh-ed25519 AAAA... comment.

SSH public key blob

The canonical SSH byte structure that carries the key type and public-key parameters. Fingerprints are derived from this blob.

SSH2 public key block

A wrapped public-key file format described by RFC 4716, using begin and end markers around base64 content.

SubjectPublicKeyInfo

A generic public-key structure used by PEM PUBLIC KEY blocks in many libraries and APIs.

Fingerprint

A hash-derived identifier used to check whether two displayed keys represent the same public key.

References

• RFC 4253 for SSH public-key algorithm framing and SSH data-type encoding.
• RFC 4716 for the SSH2 public key file format and line-wrapping rules.
• RFC 5656 for ECDSA key names and the NIST curves used in SSH.
• RFC 8709 for the ssh-ed25519 SSH public-key format.
• RFC 8410 for Ed25519 SubjectPublicKeyInfo public-key encoding in PEM PUBLIC KEY blocks.
• OpenBSD ssh-keygen(1) for SHA-256 as the default fingerprint display and RFC 4716 as the default export format.
• OpenBSD sshd(8) for the field layout of authorized_keys lines.