Skip to content

ssh-keygen Command Line Options

The ssh-keygen syntax is:

ssh-keygen [-7 file] [-b bits] [-c comment] [-D private_key] [-e private_key] [-f] [-F key] [-h] [-H key] [‑i key] [-k file] [-N new_passphrase] [-o key_name] [-O key_file] [-p passphrase] [-P] [-q] [-t key_type] [-V] [-X cert] [key_name1 key_name2 ...]

Use ssh-keygen to create RSA, DSA, ECDSA keys for public key authentication, to edit the properties of existing keys, and to convert key file formats for compatibility with other Secure Shell implementations.

When no options are specified, ssh-keygen generates a 2048-bit RSA key pair and queries you for a passphrase to protect the private key. If you don't specify a file name on the command line, keys are created in ~/.ssh2/ and given a default name that identifies the key type, size, and host name (for example/home/joe/.ssh2/id_rsa_2048_myhost_a). If you specify a file name, keys are saved to the current working directory unless you include a fully qualified path name. For each private key you create, ssh-keygen also generates a public key. Public keys are given the same base name as the private key, with an added .pub extension (for example id_rsa_2048_myhost_a.pub``).

Command Line Options

Options are available in both a single-character form (such as -b) and a descriptive equivalent (--bits). Single characters are shown here. To view the descriptive equivalents, use the -h command line option.

-7 file

Extracts certificate(s) and CRL(s) from the specified PKCS#7 file.


-b bits

Specifies the key size. Up to a point, a larger key size improves security. Increasing key size slows down the initial connection, but has no effect on the speed of encryption or decryption of the data stream after a successful connection has been made. The length of key you should use depends on many factors, including: the key type, the lifetime of the key, the value of the data being protected, the resources available to a potential attacker, and the size of the symmetric key you use in conjunction with this asymmetric key. To ensure the best choice for your needs, we recommend that you contact your security officer. The default for RSA keys is 2048 bits, the default for DSA is 1024 and the default for ECDSA keys is 256. The minimum and maximum values for RSA and DSA keys are 512 and 32768 respectively. The values for ECDSA keys are 256, 384 and 521.


-c comment

Specifies information for the comment field within the key file. Use quotation marks if the string includes spaces. If you do not specify a comment, a default comment is created that includes the key type, creator, date, and time. Note: The comment is displayed when a passphrase-protected key is used for client authentication. Don't store passphrases or other sensitive information in the comment.


-D private_key

Uses the specified private key to derive a new copy of the public key.


-e private_key

Changes the passphrase of the specified private key. When you use this option alone you will be queried for the old and new passphrase for the specified private key. To edit the passphrase without opening an interactive session, you can use this option in combination with -p and -N. To change to a null passphrase, you can use this option in combination with -P.


-f

Enables FIPS mode. This mode enforces key creation using FIPS-approved key strength.


-F key

Displays the fingerprint of the specified key in Bubble Babble format.


-h

Displays a brief summary of command options.


-H key

Uses the specified Reflection public key to generate a public key in OpenSSH format. The converted key is created using the same base file name with an added .ssh extension. You can use the key that is created to configure public key client authentication on an OpenSSH server.


-i key

Displays information about the specified key.


-k file

Extracts certificate(s) and private key(s) from the specified PKCS#12 file.


-N new_passphrase

Changes the passphrase to the specified new passphrase. Use this option in combination with -e.


-o key_name

Specifies the filename for the generated private key. (A public key is also created and is always given the same name as the private key plus a .pub file extension.) Note: An alternate way of naming key files is to specify one or more key filenames at the end of the ssh-keygen command.


-O key

Uses the specified OpenSSH public or private key to create a public or private key in Reflection format. The converted key is created using the same base file name with an added .ssh2 extension.


-p passphrase

Specifies a passphrase. Use quotation marks if the phrase includes spaces. This option creates the initial passphrase when you generate a new key. If you are managing an existing key, use this option to specify the passphrase that protects that key. If a passphrase is required and you don't use -p, you'll be prompted for the passphrase. Ensure that you follow your company's security policy for password length and complexity.

-P

Creates a key with no passphrase. You can use this option to create keys for server authentication. Passphrases are strongly recommended for client keys. Passphraseless keys should be used only for accounts that require unattended authentication (such as file transfer scripts). Passphraseless private key files should be protected using operating system file access controls (key file = 400, directory containing the key = 700).


-q

Hides the key generation progress indicator.


-t key_type

Specifies the algorithm used for key generation. Possible values are "rsa", "dsa", and "ecdsa". The default is "rsa".


-V

Displays ssh-keygen version information.


-X cert

Extracts the public key from the specified X.509 certificate file.

[key_name1 key_name2...]

Specifies the file name (or names) to be used for the generated private key (or keys). The public key is created using the same name with a ".pub" file extension.