Secure Shell (SSH) Public Key Converter

SSH Public Key

{{ single.summary.typeLabel }} · {{ single.summary.bits }} bits · {{ single.summary.curve }}

{{ single.summary.sourceLabel }} SHA256 {{ single.summary.sha256Short }} “{{ single.summary.comment }}”

Public key input:

Paste one OpenSSH, SSH2/RFC4716, PEM, DER, or CER public key; private keys are refused.

Drop a PUB, PEM, TXT, DER, or CER public key onto the textarea.

Ignored {{ ignoredCount }} extra key-like item(s). This converter processes only the first detected public key.

Comment override:

Example: alice@laptop or build@ci; leave blank to preserve detected comments.

SSH2 wrap column:

chars

Enter 40-128 characters; 70 stays within the RFC4716 line limit.

Field	Value	Copy
{{ row.label }}	{{ row.value }}

Format	Length	Output	Copy
{{ row.label }}	{{ row.length }}	{{ row.value \|\| '—' }}

Trace Field	Value	Copy
{{ row.label }}	{{ row.value }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

SSH public keys often move between systems that agree on the cryptographic key but disagree about the text around it. A cloud console may ask for a one-line OpenSSH key, a network appliance may export an SSH2 public key block, and a library or certificate workflow may hand over a PEM public key. Those wrappers look different enough to cause doubt, even when they describe the same public key.

A public key is only the public half of a key pair. It can be shared with servers, vendors, and colleagues so a matching private key can prove possession later. The risk in a public-key conversion is usually not that the key material is secret; it is that the wrong key, a copied private key, a certificate, or a line with access options gets mistaken for the bare public key a destination system expects.

OpenSSH line: A compact line with a key type such as ssh-ed25519, base64 key data, and an optional trailing comment.
SSH2 block: An RFC 4716-style public-key file with begin and end markers, optional headers, and wrapped base64 body lines.
PEM public key: A text envelope around DER-encoded public-key data, commonly shown as a BEGIN PUBLIC KEY block.

Most format problems come from surrounding text rather than the key itself. OpenSSH access files can contain command restrictions, source-address limits, or other options before the key type. SSH2 files can carry comments or private-use headers. PEM files may hold a bare public key, an RSA-specific public key, or a full certificate that merely contains a public key. File extensions such as .cer and .pem are clues, not proof of the data inside.

SSH public key conversion from one text wrapper through a stable key identity into another wrapper

Fingerprints are the practical check that a conversion preserved the key. A SHA-256 fingerprint or legacy MD5 fingerprint is calculated from the SSH public-key bytes, not from the comment or the line wrapping. When the fingerprint stays the same, the text wrapper changed but the public key identity did not.

A converted public key still needs normal authorization work. The destination account must trust that public key, and the user or system must hold the matching private key. Rewriting the public half into another wrapper does not create access, prove private-key custody, or turn a public key into a certificate.

How to Use This Tool:

Use one public key per run so every field, fingerprint, and converted result refers to the same key.

Paste a key into Public key input, or choose Browse file for a PUB, PEM, TXT, DER, or CER public-key file. DER and CER files need to contain public-key data, not a full certificate.
For OpenSSH text, start the line at the key type, such as ssh-rsa, ssh-ed25519, or ecdsa-sha2-nistp256. Remove any access options that appear before the key type.
Open Advanced only when output text needs adjustment. Comment override changes the generated OpenSSH or SSH2 comment, while SSH2 wrap column controls wrapped SSH2 body lines from 40 to 128 characters.
Check Key Metadata first. Confirm Detected Source, Type, Bits, Curve, SHA256 Fingerprint, MD5 Fingerprint, and Comment before using any converted text.
Open Converted Formats and copy the format your destination requests. OpenSSH is the usual one-line access-key format, SSH2 is the wrapped RFC 4716-style block, and PEM is the generic public-key envelope.
Use Conversion Trace when a result looks surprising. It shows item counts, ignored extra keys, selected source type, wrap column, comment override, warnings, and parse errors.
If the page reports an unknown format, a parse error, extra ignored items, or private-key-looking input, reduce the input to one bare public key and run the conversion again.

Interpreting Results:

SHA256 Fingerprint is the strongest quick comparison value. Compare it with a trusted display from the source system or with the destination fingerprint after installation. MD5 Fingerprint is included for older consoles and audit notes that still use colon-separated MD5 values.

Type, Bits, and Curve describe the parsed public key. They should match your expectation before you copy output, especially when the original file came from an extension such as .pem or .cer. Detected Source identifies the wrapper that was read; it does not prove the key is authorized anywhere.

OpenSSH output is copy-ready for most access-key fields and authorized_keys-style destinations after any required account policy is handled.
SSH2 Public Key output is for systems that request the RFC 4716-style begin/end block and wrapped base64 body.
PEM Public Key output is useful when a system expects a SubjectPublicKeyInfo-style public key block rather than SSH-specific text.
A matching fingerprint proves that the converted outputs describe the same parsed public key. It does not prove that the matching private key exists, is safe, or belongs to the intended person.

Technical Details:

SSH public-key text is built around a binary SSH public-key blob. The blob begins with an SSH string naming the key type, followed by key-family-specific public values. RSA uses a public exponent and modulus. Ed25519 uses a 32-octet public key. ECDSA uses a named NIST curve identifier and an elliptic-curve point.

Text formats decide how that blob or an equivalent public-key structure is carried. OpenSSH places the key type, base64 blob, and optional comment on one line. SSH2 public-key files wrap the base64 body between RFC 4716 markers and may include headers. PEM public-key blocks carry DER data, normally SubjectPublicKeyInfo, inside a different base64 envelope.

Transformation Core:

Conversion is a wrapper rewrite, not a key-generation step. The public values are parsed into a single key identity and then serialized into the requested text forms.

SSH public key conversion stages
Stage	Accepted input or rule	What may change	What should remain stable
Read wrapper	OpenSSH line, SSH2 public-key block, PEM `PUBLIC KEY`, PEM `RSA PUBLIC KEY`, or SPKI-style DER/CER public-key data	Markers, headers, line breaks, and comments	Key type and public-key values
Build key identity	RSA modulus and exponent, Ed25519 key bytes, or ECDSA curve point on a supported NIST curve	Display wording and destination wrapper	SHA-256 and MD5 fingerprints for the parsed SSH blob
Write destination text	OpenSSH one-line text, SSH2 block with selected wrap width, and PEM `PUBLIC KEY` text	Comment text, base64 wrapping, and envelope syntax	The public-key identity represented by the output

Fingerprinting follows the SSH key identity, not the surrounding file syntax. The SHA-256 display is SHA256: followed by base64-encoded SHA-256 digest text with padding removed. The MD5 display is the lowercase hexadecimal MD5 digest over the same SSH public-key blob, separated into colon-delimited octets. Changing an SSH comment or SSH2 wrap column should not change either fingerprint.

Supported SSH public key families and PEM mapping
Family	SSH name	Reported size	PEM mapping note
RSA	`ssh-rsa`	Modulus bit length	Written as a generic `PUBLIC KEY` block using the RSA algorithm identifier.
Ed25519	`ssh-ed25519`	256 bits	Written with the Ed25519 public-key algorithm identifier used by X.509 public keys.
ECDSA	`ecdsa-sha2-nistp256`, `nistp384`, or `nistp521`	256, 384, or 521 bits	Written with the ECDSA algorithm identifier and the matching named-curve object identifier.

SSH public key parsing limits and recovery guidance
Input condition	Likely result	Recovery
OpenSSH options before the key type	The line may not be recognized as a bare public key.	Paste only the key type, base64 key data, and optional trailing comment.
Multiple public keys or blocks in one input	The first detected public key is processed and the remaining key-like items are ignored.	Convert keys one at a time so fingerprints and outputs stay unambiguous.
Private key text	The public-key conversion does not produce a result.	Extract the public key first, then convert the public key only.
Certificate in a PEM, DER, or CER file	Parsing may fail because a certificate is not the same object as a bare public key.	Inspect the certificate with a certificate tool or extract its public key before converting.
Unsupported curve or public-key algorithm	The parser cannot rewrite the key into all destination formats.	Use RSA, Ed25519, or ECDSA on `nistp256`, `nistp384`, or `nistp521` for this conversion.

RFC 4716 limits public-key file lines to 72 bytes excluding line endings. A 70-character SSH2 body wrap stays within that boundary, while the wider accepted range is useful for tools that document a different preference. OpenSSH output remains one line because that format is normally pasted into line-oriented access-key fields.

Privacy and Safety Notes:

Public keys are meant to be shared, but copied key text can still reveal operational information. Comments often contain usernames, device names, hostnames, project labels, or ticket references.

Parsing, conversion, and fingerprinting run in the browser after the page loads; public-key text does not need to be uploaded for conversion.
Do not paste private keys into a public-key converter. A private key should stay in its protected storage location unless you are using a workflow meant for private-key handling.
If the filled page is shared through a URL or screenshot, public-key text, comments, and system labels may travel with it. Clear the input before sharing page state.
A matching fingerprint is an identity check for the public key, not an approval that the key should be trusted on a server.

Worked Examples:

OpenSSH Ed25519 key for a cloud console. A line such as ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAhgnNOveo+i7eEHepWZiKc2WkIddef7Us3DyZAMEtEp demo@example.com should report Detected Source as OpenSSH, Type as Ed25519, Bits as 256, and SHA256 Fingerprint as SHA256:lMHLMlspFfDsl4PJgRWqdih1cVhOBS79tzvLK0+67N0. Copy the SSH2 or PEM form only after the fingerprint matches the source record you trust.

PEM public key from a library export. A BEGIN PUBLIC KEY block containing a 2048-bit RSA public key should become an OpenSSH line with Type RSA and Bits 2048. If the destination requires an SSH comment, enter a Comment override before copying the OpenSSH or SSH2 result because PEM public-key blocks do not carry SSH comments.

SSH2 block with a strict line-width requirement. A vendor appliance may ask for an SSH2 public key block whose base64 body wraps at a documented width. Set SSH2 wrap column to that value, keep it between 40 and 128 characters, and confirm in Conversion Trace that the selected wrap column matches the requested setting.

Certificate file mistaken for a public key. A .cer file may contain a full X.509 certificate instead of bare SubjectPublicKeyInfo data. If the converter returns a parse error, extract the certificate's public key with a certificate-aware workflow, then return with the public-key text or DER public-key data.

FAQ:

Can this convert private keys?

No. It is for public keys. If you have a private key file, extract its public key first and paste only the public key here.

Why did only one key convert?

The results are single-key results. If several key-like items are pasted or dropped, the first detected public key is processed and the extra items are counted as ignored.

Why does PEM output not keep my SSH comment?

PEM public-key blocks do not have an SSH comment field. Comments can appear in OpenSSH and SSH2 output, but they are not part of the public key fingerprint.

Which fingerprint should I compare?

Compare the SHA-256 fingerprint first. Use the MD5 fingerprint only when an older device, ticket, or console still shows MD5.

Does a converted key work immediately on a server?

No. The server or account still has to trust that public key, and the connecting user or service must still have the matching private key.

Glossary:

SSH public-key blob: The SSH-encoded public-key data used for fingerprints and SSH-specific public-key text.
OpenSSH line: A one-line public-key format with a key type, base64 key data, and optional comment.
RFC 4716: The SSH2 public-key file format with begin/end markers, headers, and wrapped base64 body lines.
SubjectPublicKeyInfo: The generic public-key structure commonly carried inside PEM PUBLIC KEY blocks.
Fingerprint: A short digest used to compare public-key identity without reading the full key text.
Comment: Human-readable SSH text attached to OpenSSH or SSH2 output. It does not change the key identity.

References:

RFC 4253: The Secure Shell (SSH) Transport Layer Protocol, RFC Editor, January 2006.
RFC 4716: The Secure Shell (SSH) Public Key File Format, RFC Editor, November 2006.
RFC 5656: Elliptic Curve Algorithm Integration in the Secure Shell Transport Layer, RFC Editor, December 2009.
RFC 8709: Ed25519 and Ed448 Public Key Algorithms for the Secure Shell (SSH) Protocol, RFC Editor, February 2020.
RFC 8410: Algorithm Identifiers for Ed25519, Ed448, X25519, and X448 for Use in the Internet X.509 Public Key Infrastructure, RFC Editor, August 2018.
OpenBSD ssh-keygen(1) manual page, OpenBSD.