How to get a .pem file from ssh key pair?

Solution 1:

According to this, this command can be used:

ssh-keygen -f id_rsa -e -m pem

This will convert your public key to an OpenSSL compatible format. Your private key is already in PEM format and can be used as is (as Michael Hampton stated).

Double check if AWS isn't asking for a (X.509) certificate in PEM format, which would be a different thing than your SSH keys.

Solution 2:

Using ssh-keygen to export the key in the .pem format worked for me.

ssh-keygen -f -m 'PEM' -e > id_rsa.pem

Then simply copy the .pem key as necessary.

For reference:

  • the -f portion indicates the input file to read from
  • -m 'PEM indicates a PEM filetype
  • the -e option indicates that the output will be exported

Solution 3:

id_rsa is the file that you have to use to decrypt the Windows EC2 instance password, but just make sure that the file you copy paste is not phrase protected.

I solved the problem getting a temporarily unprotected the id_rsa file with something like:

$ openssl rsa -in ~/.ssh/id_rsa -out tmp_file.pem

Solution 4:

Initially, when using ssh-keygen, I could generate a public key that was compatible with AWS EC2, but had issues with creating private keys that were compatible. The following creates both public and private keys pairs that are compatible with AWS EC2.

ssh-keygen -P "" -t rsa -b 4096 -m pem -f my-key-pair

Here's info on each parameter:

  • -P: is for passphrase. Intentionally set to empty.
  • -t: Specifies the type of key to create.  AWS EC2 Key Pair requires RSA. It's my experience that this pertains to the public key that is created.
  • -b: Specifies the number of bits in the key. The supported lengths are 1024, 2048, and 4096. If you connect using SSH while using the EC2 Instance Connect API, the supported lengths are 2048 and 4096.
  • -m: Specifies a key format for key generation. Setting a format of “PEM” when generating a supported private key type will cause the key to be stored in the legacy PEM private key format.  AWS EC2 Key Pair need the legacy format
  • -f: Specifies the output filename of the key file


For more information on ssh-keygen, see:

AWS - EC2 Key Pairs -