SSH Public Key Extractor

Field	Value	Copy
Type	{{ resultRows[0].type }}
Bits	{{ resultRows[0].bits }}
SHA-256	{{ resultRows[0].fp256 }}
MD5	{{ resultRows[0].fpmd5 }}
Public key (authorized_keys line)	`{{ resultRows[0].authorized }}`

Secure Shell (SSH) public keys are identifiers that prove a client’s possession of a matching private key. A public key line combines a type, a base64‑encoded blob, and an optional comment so servers can verify access. Many implementations follow the message formats described in RFC 4253, which is why lines generated by different tools interoperate reliably across platforms.

You provide an OpenSSH private key or an RSA PEM, or paste a complete public key line. The extractor derives the public key in the same copy‑paste format administrators expect, then calculates fingerprints you can match against known values. Outputs highlight the key type, the bit length, and two hashes that help you confirm identity before sharing with others.

Imagine you are onboarding a deploy account and need to authorize a key on a new host. Paste the private key to reveal the public line and fingerprints, then add only the public text to the server. Keep private material on your machine and verify that the host and account controls align with your policy before distributing anything further.

Add a short comment to label the key, or prepend options that restrict use, such as forcing a command or blocking port forwarding. Choose a key type that fits your environment, for example Ed25519 for compact keys or RSA when compatibility with older systems matters. Review fingerprints any time a key changes to detect accidental substitution.

Public keys differ from certificates used in other systems, which bind identities through a chain of trust. Here the line stands alone, and the server’s policy decides where the key is accepted and which commands it may run.

Technical Details:

The extractor reads OpenSSH private keys, RSA PEM private keys, or authorized_keys style public lines and produces a normalized public key plus fingerprints. For OpenSSH, it parses the clear‑text public section embedded in the openssh-key-v1 structure. For RSA PEM, it reconstructs the SSH public blob from the modulus and exponent. Fingerprints are deterministic: SHA‑256 as base64 without padding, and legacy MD5 as lower‑case hex separated by colons.

\begin{array}{lll} bits & = & (len (n) - 1) \times 8 + ⌊ \log_{2} (b) ⌋ + 1 \end{array}

For RSA, n is the modulus as big‑endian bytes and b is the first non‑zero byte of n. ECDSA curve sizes and Ed25519 use their standard bit lengths.

Symbols and units used in calculations
Symbol	Meaning	Unit/Datatype	Source
`type`	SSH key algorithm	string	Input/derived
`bits`	Key length	bit	Derived
`fp256`	SHA‑256 fingerprint	base64 (no padding)	Derived
`fpmd5`	MD5 fingerprint	hex (colon‑delimited)	Derived
`authorized`	Public key line	string	Derived

Algorithm steps

If OpenSSH PEM detected, parse header and read embedded public key(s).
Else if RSA PEM detected, parse modulus and exponent and build SSH blob.
Else scan text for an authorized_keys line and decode its base64 blob.
Compute SHA‑256 over the blob and emit base64 without padding.
Compute MD5 over the blob and emit lower‑case hex with colons.
Estimate or set bit length by algorithm rules and build output fields.
Assemble the public key line as [options ]type base64 [comment].

Units, precision, and rounding

Integer bit lengths, base‑2 calculation for RSA.
SHA‑256 output is base64, padding removed.
MD5 output is 32‑digit hex, colon‑delimited, lower case.
Decimal separator is a dot when numbers appear.
No rounding of fingerprints or sizes is applied.

Validation and bounds

Input patterns, limits, and error messages
Field	Type	Min	Max	Step/Pattern	Error Text	Placeholder
Key input	text/file	—	—	`\b(ssh-(?:rsa\|ed25519\|ecdsa-sha2-nistp256\|ecdsa-sha2-nistp384\|ecdsa-sha2-nistp521))\s+([A-Za-z0-9+/=]+)`	Unsupported or encrypted PEM key (only RSA PEM supported). Try an OpenSSH private key. · Encrypted PKCS#8 private keys are not supported without a passphrase. · Could not detect a key. · Malformed openssh-key-v1 structure. · Could not extract an SSH public key.	Paste SSH private key (OpenSSH or RSA PEM)…
Options prefix	text	—	—	Comma‑separated authorized_keys options	—	command="/bin/echo hi",no-port-forwarding
Comment	text	—	—	Any UTF‑8 text	—	user@host or note

I/O formats and encoding

Accepted inputs and produced outputs
Input	Accepted Families	Output	Encoding/Precision	Rounding
OpenSSH private key	openssh-key-v1 (public part in clear)	Public key line, fingerprints	Base64 blob as in authorized_keys	None
RSA PEM private key	PKCS#1 or PKCS#8	Public key line, fingerprints	RSA n/e rebuilt to SSH blob	None
Public key line	ssh-rsa, ssh-ed25519, ecdsa‑sha2‑nistp256/384/521	Normalized line, fingerprints	Base64 standard, “=” padding accepted	None

Networking and storage behavior

Processing occurs in your browser, and keys are parsed, hashed, and formatted locally. Clipboard actions occur only when you ask them to. No data is transmitted to a server, and nothing is persisted beyond your session.

Performance and determinism

Parsing and hashing are linear in input size. Outputs are deterministic for identical inputs. Very large RSA keys may take longer to hash, but typical sizes remain responsive on modern hardware.

Security considerations

OpenSSH private keys often store public keys in clear, which enables safe extraction without a passphrase.
Encrypted PKCS#8 private keys are not processed without a passphrase.
Never share private keys. Copy only the public line to servers you control.
Validate fingerprints out of band when onboarding sensitive systems.
Use options to restrict command execution or forwarding where appropriate.

Worked example

Input: an Ed25519 public line and an options prefix.

Options: command="/usr/bin/rsync --server",no-port-forwarding

ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEyx1q7Uo3k1oYlQ3i7h0cK1c1p6R0xZ1w9Qm8dJc2u user@host

Result: bit length 256, SHA‑256 appears as base64 without padding, and the authorized_keys line begins with the options prefix followed by the key and comment.

Privacy: No data is transmitted or stored server‑side.

Step‑by‑Step Guide:

Follow these steps to produce a copy‑paste‑ready public key line.

Paste your OpenSSH private key or RSA PEM into the input.
Optionally add an options prefix to restrict access.
Optionally add a short comment to label the key.
Run extraction and review type, bits, and fingerprints.
Copy the public line and add it to the server’s authorized list.

Example: Add no-port-forwarding and a deploy@host comment, then copy the line for use on the target server.

Verify fingerprints with a trusted channel before enabling access.
Use comments that identify owner, host, and purpose.

FAQ:

Is my data stored?

No. All parsing and hashing happen in your browser, and nothing is sent to a server or kept beyond your session.

Clipboard copies occur only when you request them.

Which key types are supported?

ssh-rsa, ssh-ed25519, and ECDSA on nistp256, nistp384, and nistp521. OpenSSH private keys and RSA PEM private keys are accepted as inputs.

What fingerprints are shown?

SHA‑256 in base64 with padding removed, and legacy MD5 as lower‑case hex with colons. The familiar SHA256: label is not prefixed in the value.

Can I use encrypted private keys?

OpenSSH private keys expose public keys in clear, so extraction works. Encrypted PKCS#8 private keys are not processed without a passphrase.

Why do I see only the first key?

Single‑item mode is used. If multiple keys appear in the input, the first is processed and others are ignored with a note.

Does it validate ownership or trust?

No. It formats and fingerprints keys but does not attest ownership, revocation, or policy. Always verify through trusted channels.

How do I convert PEM to an authorized line?

Paste the RSA PEM, review the derived public key line, optionally add options and a comment, then copy the line to the server’s authorized list.

Why is MD5 missing?

If the MD5 library is unavailable in your browser, the MD5 fingerprint is omitted. Use the SHA‑256 fingerprint instead.

Does it change line endings or spacing?

Public lines are emitted as single lines with a single space between parts, suitable for the server’s authorized list.

Troubleshooting:

Remove extra text around a key so the scanner finds the first valid line.
If PEM is encrypted, use the OpenSSH private key format for extraction.
Ensure the key type string matches exactly, for example ssh-ed25519.
Check that base64 is intact and not line‑wrapped mid‑blob.
Disable aggressive clipboard managers that alter copied text.
Verify that comments do not contain newlines.

Extraction failed with “Could not detect a key.” Make sure you pasted a complete OpenSSH private key, an RSA PEM, or a valid authorized_keys line.

Advanced Tips:

Tip Use options like from= to restrict source addresses for the key.
Tip Label comments consistently, for example owner@host purpose.
Tip Keep RSA sizes aligned with policy and rotate on schedule.
Tip Compare fingerprints on a second device to spot tampering.
Tip Store public lines in version control, never private keys.

Glossary:

authorized_keys: Server file listing public keys allowed to authenticate.
Fingerprint: Short hash used to recognize a key’s public blob.
PEM: Base64‑encoded text container for key material.
PKCS#1 / PKCS#8: Standardized formats for storing RSA keys.
Ed25519: Edwards‑curve signature system with 256‑bit keys.
ECDSA: Elliptic Curve Digital Signature Algorithm family.
Modulus: Large RSA number used with the public exponent.
Base64: Text encoding for binary data using 64 symbols.

SSH Public Key Extractor

SSH Public Key Extractor

Introduction:

Technical Details:

Algorithm steps

Units, precision, and rounding

Validation and bounds

I/O formats and encoding

Networking and storage behavior

Performance and determinism

Security considerations

Worked example

Step‑by‑Step Guide:

FAQ:

Troubleshooting:

Advanced Tips:

Glossary: