KB Article #180119

How to extract the SSH public key from a Login certificate

Problem

Sometimes you might need to use an existing SSH login key for another account. This article will show how to extract the SSH key from the available certificate (located on the Login Certificates tab under the original account).


Resolution

SecureTransport works internally with certificates, and all imported SSH keys are converted to X509 certificates, and then the SSH key is extracted from the certificate on the fly. For this reason we can't export the SSH public key directly and a couple of additional steps are required to extract it from the certificate.


The instructions below requre the OpenSSL and the ssh-keygen tools, so they can be carried out on Linux only.


1. Log in to ST's Admin UI as Master Administrator and navigate to the account and then to the Certificates -> Login Certificates page.


2. Open the required certificate and export it as .crt file, for example logincert.crt.


3. Transfer the logincert.crt file to a Linux server.


4. Extract the certificate's public key:


openssl x509 -pubkey -in logincert.crt -noout > x509-key.pub


5. Covert the certificate's public key to an OpenSSH public key:


ssh-keygen -i -m pkcs8 -f x509-key.pub > SSH-pub-key.pub


The resulting SSH-pub-key.pub can now be imported in SecureTransport.