Ubuntu – How to generate Openssl .pem file and where we have to place it


I want to generate a OpenSSL .pem file to allow the remote login via ssh using .pem file at the place of password.

I am able to generate key as well as .crt and .pem file using the following

sudo openssl genrsa -des3 -out server.key 2048
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem

But the problem is that where I have to put it at server side or what changes I have to made in /etc/ssh/sshd_config file to allow remote login via ssh using .pem file.

I want that client connect my machine in the following manner.

ssh -i server_crt.pem username@my_ip

What changes exactly I have to make for the implementation.


Best Answer

First you need to upload public key to the server you are willing to connect to, public key is in .pub file:


# ssh-copy-id -i ~/my-certificate.pub root@

After this it should be working and you should be able to login using:

$ sudo ssh -i ~/my-certificate.pem root@

Changes are made in file ~/.ssh/authorized_keys on server machine, open with text editor such as nano, you will see lines starting with something like: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAX ...

I personally generate the key file using $ ssh-keygen -t rsa -b 2048 -v, which generates the .pem and pub file. When you get asked:

Enter file in which to save the key (/home/user/.ssh/id_rsa):

enter the name of the .pem file for example: my-certificate.pem

Step by step from generating key to login:

  1. Generate the key with $ ssh-keygen -t rsa -b 2048 -v and when asked to enter file in which to save the key, type my-certificate and when asked to enter passphrase, press Enter (empty passphrase) and confirm by Enter.
  2. You will get two files generated, one will be my-certificate and one will be my-certificate.pub, rename the my-certificate to my-certificate.pem, so you will have two files, my-certificate.pub and my-certificate.pem
  3. Upload the public certificate to to server: ssh-copy-id -i ~/my-certificate.pub username@ip
  4. Make .pem file on your computer read-only sudo chmod 400 my-certificate.pem
  5. Login with $ sudo ssh -i /path/to/my-certificate.pem user@ip