| Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
| Format | Length | Output | Copy |
|---|---|---|---|
| {{ row.label }} | {{ row.length }} |
{{ row.value || '—' }}
|
| Trace Field | Value | Copy |
|---|---|---|
| {{ row.label }} | {{ row.value }} |
SSH public keys are the shareable half of an SSH keypair. The same key can appear as a one-line OpenSSH entry, an SSH2 public key block, or a PEM public key wrapper, and those text differences can make routine checks harder than they should be when you are moving access between systems.
This converter takes one public key, identifies its algorithm, calculates its fingerprints, and rewrites the key into OpenSSH, SSH2, and PEM forms. That makes it useful when a server expects one format, a document or API asks for another, and you still need a reliable way to confirm that every representation refers to the same underlying key bytes.
A common example is a handoff between teams. One person may paste an OpenSSH line from authorized_keys, another may attach a PEM file to a ticket, and a third may compare only a fingerprint shown by ssh-keygen or a hosting panel. The format changes, but the fingerprint should stay tied to the same public key blob.
The page is intentionally narrow in scope. It converts public material only, supports RSA, Ed25519, and ECDSA on the named NIST curves used in the package, and processes just the first detected key when several items are pasted together. Extra items are counted and ignored rather than merged into a batch result.
Public keys are not secret in the same way private keys are, but they still identify accounts, hosts, or people. The current page also mirrors the pasted key text, comment override, and wrap setting into the address bar through query parameters, so it is worth clearing the form before sharing a link or taking a screenshot.
The converter accepts the formats that appear most often in day-to-day administration. You can paste an OpenSSH public key line, a basic SSH2 public key block with an optional quoted comment header, a PEM PUBLIC KEY block, or a PEM RSA PUBLIC KEY block. Text uploads accept .pub, .pem, and .txt, while binary .der and .cer files can be handled through the page's file-loading logic as public-key input.
| Input family | What the page reads | What you get back | Practical use |
|---|---|---|---|
| OpenSSH line | Algorithm label, base64 key blob, optional trailing comment | Metadata, fingerprints, OpenSSH, SSH2, PEM, trace, JSON | Checking a key before putting it into authorized_keys or a deployment record |
| SSH2 public key block | Base64 body with optional Comment: header |
The same three output encodings plus fingerprints | Reformatting keys from network appliances or older SSH tooling |
| PEM public key | SubjectPublicKeyInfo or RSA PKCS#1 public-key material | OpenSSH, SSH2, PEM rebuild, and key details | Turning library or certificate-style public-key files into SSH text |
The fingerprint panel is usually the most important result. The page shows both a SHA-256 fingerprint and a legacy MD5 fingerprint derived from the SSH public key blob itself, not from the comment field and not from surrounding wrappers. In practice, SHA-256 is the better day-to-day comparison value, while MD5 is mainly there for older interfaces that still display colon-separated MD5 fingerprints.
The SSH2 wrap setting deserves a quick note because interoperability varies. RFC 4716 keeps public-key body lines short, and the package defaults to 70 characters, which stays inside the usual limit. The control also allows wider lines up to 128 characters, so if you need a conservative SSH2 export for another parser, leaving the default alone or keeping the value at 72 or less is the safer choice.
The converted outputs are paired with a few convenience exports rather than extra cryptographic features. Key Metadata can be copied as CSV, downloaded as CSV, or exported as a DOCX table. Converted Formats and Conversion Trace can be copied or downloaded as CSV, and the JSON tab packages the same information into a structured payload for tickets, audits, or later comparison.
Under the hood, the important object is the SSH public key blob. OpenSSH one-line keys carry that blob directly after the algorithm label. SSH2 and PEM inputs have to be unwrapped first, but the page eventually converts each supported input into the same internal byte sequence, then reads the algorithm-specific parameters from it.
That distinction matters because wrappers and comments are presentation details, not identity. When the converter calculates fingerprints, it hashes the canonical SSH key blob. A rewritten comment, a different line length, or a PEM wrapper does not change the fingerprint as long as the underlying public key bytes are the same.
| Family | How the package labels it | Reported size | Notes |
|---|---|---|---|
| RSA | RSA | Derived from the modulus bit length | PEM RSA PUBLIC KEY input is supported and re-emitted as a generic PUBLIC KEY wrapper |
| Ed25519 | Ed25519 | 256 bits | Handled as OpenSSH, SSH2, and PEM SubjectPublicKeyInfo |
| ECDSA | ECDSA | 256, 384, or 521 bits | Restricted to nistp256, nistp384, and nistp521 |
The implementation is deliberately stricter than a broad "anything SSH-like" parser. It does not accept DSA public keys, SSH certificates, or arbitrary PEM labels. SSH2 support is limited to the block structure the package actually parses, which means an optional quoted Comment: header and base64 body content, not the full universe of custom headers other software may tolerate.
Processing stays in the browser. File reads use the page's local file APIs, SHA-256 is calculated with the browser's Web Crypto interface, and the converter rebuilds OpenSSH, SSH2, and PEM output strings directly on the page. There is no lambda.mjs helper, no network request for conversion, and no server-side storage path in the shipped package.
The privacy boundary is therefore mostly local, but not invisible. Because the shared query-parameter mixin writes changed inputs back into the URL, the current key text and comment override can end up in browser history, copied links, or screen captures. For operational hygiene, that matters more than server-side retention here.
Start by pasting one public key or loading one file. If the source is an OpenSSH line, the page reads the algorithm label and base64 payload directly. If the source is a PEM or SSH2 block, it unwraps that container first and then normalizes the key before any fingerprints are shown.
If you want a different comment on the rewritten key, set it in the advanced panel before copying results. The comment override affects OpenSSH output and SSH2 block output, but it does not change the key material or either fingerprint.
Next, read the Key Metadata tab before copying any converted text. The source label tells you what the page recognized, the type and curve fields tell you whether the parser matched the expected algorithm, and the SHA-256 fingerprint gives you the stable comparison value to check against another system.
Move to Converted Formats only after the metadata looks right. OpenSSH output is the familiar one-line SSH format. SSH2 output is a wrapped block with an optional comment header. PEM output is a PUBLIC KEY wrapper suitable for software that expects SubjectPublicKeyInfo text instead of SSH-native formatting.
The Conversion Trace and JSON tabs are there when you need evidence rather than just output text. Trace summarizes how many items were inspected, how many were ignored, the selected source type, the active wrap width, and any warnings. JSON captures the same metadata, converted formats, and trace rows in one exportable object.
Detected Source tells you which parser path succeeded. That field matters because comments behave differently by source. OpenSSH and SSH2 inputs can carry comments that the page preserves unless you override them, while PEM inputs arrive without an SSH comment and therefore produce blank comments unless you add one.
Type, Bits, and Curve describe the parsed key, not the wrapper it came in. For RSA keys, bit length comes from the modulus. For ECDSA keys, the curve is reported by name and the bit count follows the named curve. Ed25519 is always shown as 256 bits.
SHA256 Fingerprint is the best field to compare when you want to confirm identity across formats. If the OpenSSH line, SSH2 block, and PEM export all show the same SHA-256 value, the converter is telling you that they encode the same public key. The MD5 field exists for compatibility with older displays and should not be treated as the stronger trust signal.
Converted Formats are best read as alternate serializations, not as upgraded or downgraded keys. Rewrapping a public key into PEM does not make it suitable for certificate use by itself, and converting PEM into OpenSSH does not add any server authorization options. The page is only changing how the same public key is represented.
Ignored items and the warning banner tell you when extra keys were present. Since the package reports only the first detected key, use a single input item when precision matters. That avoids accidentally comparing the fingerprint of one key while intending to deploy another.
A straightforward case is a PEM public key supplied by a library or cloud console. Paste the PEM block, confirm the algorithm and SHA-256 fingerprint, then copy the OpenSSH line if you need to place that key into an SSH-native workflow. The fingerprint gives you a stable bridge between the two text representations.
Another common case is a vendor document that shows an SSH2 public key block. The converter can unwrap that block, preserve or replace the comment, and emit both OpenSSH and PEM output from the same parsed key. That is useful when one system wants a classic SSH line but another wants a PEM file for storage or review.
The metadata exports are useful during rollout and audit work. If you need to hand someone a compact verification package, the Key Metadata table and JSON export let you share algorithm, curve, and fingerprints without asking them to parse the key manually. That keeps the operational conversation centered on identity checks instead of text formatting.
Can it convert private keys?
No. The package is built for public-key material and returns a parse error when the input does not match one of its supported public-key formats.
Does matching output text matter, or only matching fingerprints?
Fingerprint agreement is the stronger identity check. Text wrappers and comments can change while the underlying key stays the same.
Why is MD5 shown at all?
Some SSH tooling and older administrative interfaces still display MD5 fingerprints. The field is there for compatibility, not because MD5 is the preferred comparison method.
Will it handle every RFC 4716 feature?
No. It handles the subset the code actually parses: the standard block markers, base64 body content, and a quoted comment header. If you need wide interoperability, keep the wrap width conservative.
Does clearing the page matter after conversion?
Yes, if you want to avoid leaving the pasted key text in the page URL, history, or copied links. The conversion itself is local, but the page state is still shareable.
ssh-ed25519 AAAA... comment.PUBLIC KEY wrapper used by many libraries and APIs to carry public-key data.