SSH Public Key Converter

Field	Value	Copy
{{ row.label }}	{{ row.value }} {{ row.value }}
Warnings	{{ w }}
Error	{{ single.error }}

Type	Bits/Curve	SHA256	Comment	Copy
{{ r.typeLabel }}	{{ r.bits }} {{ r.curve }} —	{{ r.sha256 }}	{{ r.comment \|\| '' }}
No rows.

SSH public keys are the public half of asymmetric credentials used by Secure Shell to prove identity. An SSH public key names its algorithm and carries key material that clients or servers present during authentication. Keys appear as one‑line OpenSSH entries or as fenced blocks defined by the SSH2 public key file format (RFC 4716), and many teams need to convert PEM to OpenSSH without guessing formats or losing comments.

You enter a public key in any supported layout and receive its algorithm, bit length or named elliptic curve, and two fingerprints for verification. The tool also returns three interchangeable encodings ready to reuse in different systems. Outputs align with common families: an OpenSSH line, an SSH2 public key block with an optional comment, and a PEM public key carrying a SubjectPublicKeyInfo structure.

For example, turning a team member’s OpenSSH line into a block helps upload it to systems that expect SSH2. Use the SHA‑256 fingerprint to confirm the key matches a record you already trust, not the text length or comment. Avoid pasting private keys anywhere, and verify the destination expects a public key before you share it.

Prefer modern algorithms where available, keep comments meaningful but non‑sensitive, and export a CSV or JSON snapshot when access lists change. If you process many keys, deduplicate by fingerprint so each key appears once in reviews and keep a copy with the audit ticket. When sharing SSH2 blocks, choose a wrap length that suits code review tools and avoids unnecessary diff noise.

Technical Details:

Conversion and inspection operate on the canonical SSH wire format. The parser reads a length‑prefixed type name, then algorithm‑specific fields: exponent and modulus for RSA, a 32‑byte public key for Ed25519, or a named curve and uncompressed point for ECDSA. Attributes include type label, bit length or curve, and two fingerprints. Outputs are synthesized deterministically: an OpenSSH line, an SSH2 Public Key block with an optional Comment and configurable wrapping, and a PEM Public Key containing a SubjectPublicKeyInfo sequence with appropriate object identifiers. Batch mode processes multiple items and can collapse identical keys by SHA‑256.

Processing pipeline

Detect input as OpenSSH line, SSH2 block, PEM Public Key, or PKCS#1 RSA Public Key.
Extract Base64 content and decode to bytes with non‑alphabet characters removed.
Parse SSH blob: read type string, then algorithm‑specific fields.
Derive attributes: type label, bit length or named curve.
Compute SHA‑256 and MD5 fingerprints from the SSH blob.
Build outputs: OpenSSH line, SSH2 block with optional comment and wrapping, PEM Public Key.
When batch is enabled, compute row status and deduplicate by SHA‑256.
Populate table and JSON payloads; expose copy and download actions.

Symbols & Units

Symbols and units used in outputs
Symbol	Meaning	Unit/Datatype	Source
type	Algorithm label (RSA, ECDSA, Ed25519)	string	Derived
bits	Bit length for RSA or curve size for ECDSA	bits (integer)	Derived
curve	Named elliptic curve (nistp256, nistp384, nistp521)	string	Derived
sha256	SHA‑256 fingerprint of SSH blob	Base64 (no padding)	Derived
md5	MD5 fingerprint of SSH blob	hex (lower‑case, colon‑separated)	Derived
comment	Human note attached to outputs	string	Input or derived
wrap	SSH2 block wrap width	characters (integer)	Input
source	Original encoding family	string	Derived

Validation & bounds extracted from code

Field validation, patterns, and limits
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
SSH2 wrap column	number	40	128	step 1	—	—
OpenSSH line	text	—	—	/^(ssh-rsa\|ssh-ed25519\|ecdsa-sha2-[a-z0-9-]+)\s+[A-Za-z0-9+/=]+(?:\s+.+)?$/	Unknown input format. Parse error. No key-like content detected.	e.g., ssh‑ed25519 AAAA… alice@laptop
SSH2 Public Key	block	—	—	Headers “---- BEGIN SSH2 PUBLIC KEY ----” and “---- END SSH2 PUBLIC KEY ----”	Unknown input format. Parse error.	Optional Comment: "…"
PEM Public Key	block	—	—	“-----BEGIN PUBLIC KEY-----” … “-----END PUBLIC KEY-----”	Unknown input format. Parse error.	—
PKCS#1 RSA Public Key	block	—	—	“-----BEGIN RSA PUBLIC KEY-----” … “-----END RSA PUBLIC KEY-----”	Unknown input format. Parse error.	—
Upload input	file	—	—	Accepts .pub, .pem, .txt; drag‑and‑drop also reads .der and .cer	—	—

I/O formats & encoding

Accepted inputs and produced outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
Text or file	OpenSSH line; SSH2 Public Key block; PEM Public Key (SPKI); PKCS#1 RSA Public Key; DER/CER via drag‑drop	OpenSSH line; SSH2 block; PEM Public Key	Base64 for key payloads; SHA‑256 shown Base64 without padding; MD5 hex with colons	None; integers and bit lengths exact
SSH2 wrapping	Applies to SSH2 output only	Line length configurable	Clamped to 40–128 characters; default 70	N/A
PEM wrapping	PEM Public Key output	Fixed line width	64‑character lines with standard header and footer	N/A

Units, precision & rounding policy

Decimal separator is a period; no thousands separators.
Bit lengths are exact; no rounding or truncation.
SHA‑256 fingerprint is Base64 without trailing padding.
MD5 fingerprint is lower‑case hexadecimal, colon‑separated octets.
PEM output wraps at 64 characters; SSH2 wrapping is user‑configurable.

Networking & storage behavior

All parsing, conversion, and fingerprinting run in your browser. No requests are sent to a server. Clipboard and file downloads are initiated locally.

Performance & complexity

Decoding and encoding are linear in input size. Memory use is proportional to the key blob and encoded outputs. Processing is synchronous per item; batch mode iterates items sequentially and optionally deduplicates by SHA‑256.

Diagnostics & determinism

For identical inputs, outputs and fingerprints are deterministic. Errors surface as concise messages for unknown formats or parse failures.

Security considerations

Private keys are rejected by design; do not paste secrets.
Comments are copied verbatim; avoid sensitive content.
MD5 is provided for compatibility and should not be used for trust decisions.
Validate fingerprints out‑of‑band before granting access.

Worked example

Input: an OpenSSH line with a comment.

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBEXAMPLEKEYMATERIAL alice@laptop

Key attributes: Type Ed25519; bits 256.

SHA256: WxyzBase64NoPad… 
MD5: aa:bb:cc:dd:ee:ff:00:11:22:33:44:55:66:77:88:99

Outputs: OpenSSH line, SSH2 Public Key block with Comment, and PEM Public Key.

Assumptions & limitations

Supported algorithms: RSA, ECDSA (nistp256, nistp384, nistp521), Ed25519.
Heads‑up DSA (ssh‑dss) is not supported.
DER parsing accepts SPKI “PUBLIC KEY” and PKCS#1 “RSA PUBLIC KEY” only.
SSH2 output includes an optional Comment line; comments may be empty.
Batch deduplication collapses identical SHA‑256 fingerprints.
File picker filters .pub, .pem, .txt; drag‑and‑drop also accepts .der and .cer.

Edge cases & error sources

Base64 with whitespace is tolerated; non‑alphabet bytes are stripped before decode.
PEM with malformed headers or footers fails to parse.
SSH2 blocks missing begin or end lines cannot be read.
Unsupported curve object identifiers raise a parse error.
PEM bit strings with nonzero unused bits are rejected.
RSA integers include a leading zero byte when needed to preserve sign.
OpenSSH comments may contain spaces; full text is preserved.
Very large inputs allocate proportionally large buffers.

Scientific & standards backing

SSH2 Public Key file format (RFC 4716); X.509 SubjectPublicKeyInfo structure and algorithm object identifiers for RSA, ECDSA, and Ed25519.

Privacy & compliance

No data is transmitted or stored server‑side. Copy and download actions occur locally in your browser.

Step‑by‑Step Guide:

Follow these steps to inspect and convert a key.

Paste a SSH public key line or block, or drop a compatible file.
Open Advanced and enable Batch mode for multiple items if needed.
Set a Comment override to stamp all outputs consistently.
Choose the SSH2 wrap column to match your review tools.
Click Parse and review type, bits or curve, and fingerprints.
Copy or download the OpenSSH, SSH2, and PEM outputs as required.

Avoid private keys. Never paste secrets.

Example: paste a PEM Public Key to obtain equivalent OpenSSH and SSH2 encodings plus fingerprints for audit notes.

FAQ:

Is my data stored?

No. Parsing and fingerprinting run entirely in your browser. Nothing is uploaded or retained beyond your session.

Which key types are supported?

RSA, ECDSA with curves nistp256, nistp384, nistp521, and Ed25519. DSA is not supported.

Can I load DER or CER files?

Yes, by drag‑and‑drop. They are wrapped into a PEM Public Key before parsing. The file picker targets text formats.

What does the wrap column change?

It controls SSH2 block line length for readability. PEM output uses a fixed width independent of this setting.

Are fingerprints compatible with ssh‑keygen?

SHA‑256 is computed over the SSH blob and shown in Base64 without padding. MD5 is hex with colons for legacy displays.

Can I run without a network?

Yes. Processing is browser‑based. Once loaded, it works without connectivity.

How do I convert PEM to OpenSSH?

Paste the PEM Public Key block. The equivalent OpenSSH line appears alongside SSH2 and PEM outputs for copying.

Does it accept private keys?

No. Private keys are rejected by design to protect sensitive material.

Batch mode can be toggled and also via a query parameter. Using ?batch=1 enables multi‑item parsing and optional de‑duplication.

Troubleshooting:

“Unknown input format” — check headers or the OpenSSH prefix and spacing.
“Parse error” — ensure Base64 is intact and not truncated.
Wrong algorithm shown — verify the input is a public key, not a certificate or private key.
Comment missing — for OpenSSH, place it after the Base64; for SSH2, use a Comment line.
Wrap looks odd — adjust the SSH2 wrap column to match your diff tool.
Duplicate rows — enable de‑duplication when parsing many entries.

Blocking: no key‑like content detected. Paste a valid OpenSSH line, an SSH2 block, or a PEM Public Key.

Advanced Tips:

Tip Keep comments human but non‑sensitive; they propagate to all outputs when overridden.
Tip Compare SHA‑256 fingerprints out‑of‑band before deploying new keys.
Tip For batch imports, deduplicate by fingerprint to avoid noisy reviews.
Tip Use PEM output to integrate with systems that require SPKI “PUBLIC KEY”.
Tip Prefer Ed25519 or P‑256 when policy allows; they are compact and widely supported.

Glossary:

OpenSSH line: Single line: type, Base64 payload, optional comment.
SSH2 Public Key: Fenced block with optional Comment header.
PEM Public Key: SPKI wrapper with Base64 body and headers.
SPKI: SubjectPublicKeyInfo structure defined in X.509.
Fingerprint: Short identifier derived from the key bytes.
SHA‑256: Modern hash shown in Base64 without padding.
MD5: Legacy hash shown as colon‑separated hex.
Curve: Named set of parameters for ECDSA keys.
RSA modulus: Large integer whose bit length labels key size.
OID: Object Identifier used to label algorithms.