# ssh-keygen — Generate and Manage SSH Keys

> Practical guide to ssh-keygen — generate Ed25519 and RSA key pairs, manage passphrases, maintain known_hosts, inspect fingerprints, and issue SSH certificates.

Source: https://www.jpkc.com/db/en/cheatsheets/networking/ssh-keygen/

<!-- PROSE:intro -->
`ssh-keygen` is OpenSSH's built-in tool for creating and managing SSH key pairs. A single command generates a modern Ed25519 or classic RSA pair, lets you protect it with a passphrase, and produces the public key you copy to your server – from that point on, you log in without a password. It also handles `known_hosts` maintenance, fingerprint verification, format conversion, and full SSH-certificate workflows.
<!-- PROSE:intro:end -->

## Generate Keys

`ssh-keygen -t ed25519` — Generate an Ed25519 key pair (modern, recommended).

```bash
ssh-keygen -t ed25519 -C 'user@example.com'
```

`ssh-keygen -t rsa -b 4096` — Generate an RSA key pair with 4096 bits.

```bash
ssh-keygen -t rsa -b 4096 -C 'user@example.com'
```

`ssh-keygen -t ed25519 -f <file>` — Generate a key and save to a custom filename.

```bash
ssh-keygen -t ed25519 -f ~/.ssh/deploy_key
```

`ssh-keygen -t ed25519 -N ''` — Generate a key without a passphrase (for automation).

```bash
ssh-keygen -t ed25519 -N '' -f ~/.ssh/ci_key
```

`ssh-keygen -t ecdsa -b 521` — Generate an ECDSA key with 521-bit curve.

```bash
ssh-keygen -t ecdsa -b 521
```

## Key Info & Fingerprints

`ssh-keygen -l -f <key>` — Show the fingerprint of a key.

```bash
ssh-keygen -l -f ~/.ssh/id_ed25519.pub
```

`ssh-keygen -l -E md5 -f <key>` — Show fingerprint in MD5 format. — MD5 is deprecated; legacy compatibility only.

```bash
ssh-keygen -l -E md5 -f ~/.ssh/id_ed25519.pub
```

`ssh-keygen -lv -f <key>` — Show fingerprint with visual ASCII art (randomart).

```bash
ssh-keygen -lv -f ~/.ssh/id_ed25519.pub
```

`ssh-keygen -y -f <private-key>` — Extract the public key from a private key.

```bash
ssh-keygen -y -f ~/.ssh/id_ed25519 > ~/.ssh/id_ed25519.pub
```

## Passphrase Management

`ssh-keygen -p -f <key>` — Change the passphrase of a private key.

```bash
ssh-keygen -p -f ~/.ssh/id_ed25519
```

`ssh-keygen -p -f <key> -N '' -P '<old>'` — Remove passphrase from a key. — passphrase is exposed in shell history; use only in controlled environments.

```bash
ssh-keygen -p -f ~/.ssh/id_ed25519 -N '' -P 'oldpassphrase'
```

## known_hosts Management

`ssh-keygen -R <host>` — Remove a host from known_hosts (after key change).

```bash
ssh-keygen -R server.example.com
```

`ssh-keygen -F <host>` — Search for a host in known_hosts.

```bash
ssh-keygen -F github.com
```

`ssh-keygen -H -f ~/.ssh/known_hosts` — Hash all hostnames in known_hosts (for privacy).

```bash
ssh-keygen -H -f ~/.ssh/known_hosts
```

`ssh-keyscan <host>` — Fetch the public key of a remote host.

```bash
ssh-keyscan github.com >> ~/.ssh/known_hosts
```

`ssh-keyscan -t ed25519 <host>` — Fetch only a specific key type.

```bash
ssh-keyscan -t ed25519 github.com
```

## Format Conversion

`ssh-keygen -e -f <key> -m RFC4716` — Export public key in RFC 4716 format (SSH2).

```bash
ssh-keygen -e -f ~/.ssh/id_ed25519.pub -m RFC4716
```

`ssh-keygen -e -f <key> -m PEM` — Export public key in PEM format.

```bash
ssh-keygen -e -f ~/.ssh/id_rsa.pub -m PEM
```

`ssh-keygen -i -f <key> -m RFC4716` — Import a key from RFC 4716 format to OpenSSH format.

```bash
ssh-keygen -i -f key.pub -m RFC4716
```

## Certificates & Signing

`ssh-keygen -s <ca-key> -I <id> -n <principals> <key>.pub` — Sign a user key with a CA key (SSH certificates).

```bash
ssh-keygen -s ca_key -I user_john -n john,admin john.pub
```

`ssh-keygen -s <ca-key> -I <id> -h <host-key>.pub` — Sign a host key with a CA key.

```bash
ssh-keygen -s ca_key -I server.example.com -h ssh_host_ed25519_key.pub
```

`ssh-keygen -L -f <cert>` — Show details of an SSH certificate.

```bash
ssh-keygen -L -f john-cert.pub
```

`ssh-keygen -Y sign -f <key> -n <namespace> <file>` — Sign a file using an SSH key.

```bash
ssh-keygen -Y sign -f ~/.ssh/id_ed25519 -n file release.tar.gz
```

`ssh-keygen -Y verify -f <allowed-signers> -I <id> -n <namespace> -s <sig> < <file>` — Verify a file signature.

```bash
ssh-keygen -Y verify -f allowed_signers -I user@example.com -n file -s release.tar.gz.sig < release.tar.gz
```

<!-- PROSE:outro -->
## Conclusion

`ssh-keygen` gives you everything you need for secure, passwordless authentication – from key generation to certificate issuance. Reach for Ed25519 in everyday use: compact, fast, and cryptographically current. Always protect private keys with a passphrase and pair them with an SSH agent so you only need to enter it once per session.

## Further Reading

- [OpenSSH – Wikipedia](https://en.wikipedia.org/wiki/OpenSSH) – background and history
- [Secure Shell – Wikipedia](https://en.wikipedia.org/wiki/Secure_Shell) – protocol and architecture
- [ssh-keygen(1) – manual page](https://man.openbsd.org/ssh-keygen) – every option at a glance
<!-- PROSE:outro:end -->

## Related Commands

- [ssh](https://www.jpkc.com/db/en/cheatsheets/networking/ssh/) – open secure remote connections
- [scp](https://www.jpkc.com/db/en/cheatsheets/networking/scp/) – copy files securely between hosts
- [mosh](https://www.jpkc.com/db/en/cheatsheets/networking/mosh/) – robust SSH connections for mobile users