CryptoSys Home >
PKI >
Generating ECC keys in OpenSSH format
This page demonstrates how to generate a pair of Elliptic Curve Cryptography (ECC) public and private keys in OpenSSH format.
We provide C# code using CryptoSys PKI Pro specifically for
ecdsa-sha2-nistp256 and ssh-ed25519
curves with unencrypted private keys.
OpenSSH key formats | The Known Test Keys | The C# Code | References | Contact us
Examples of NIST P-256 and Ed25519 public keys in OpenSSH format.
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYSxMBdIUiMoUkj+lVd83ibsaY3p02JDMwfFYKlK18Q/Uv3SX1aTRZqz3CJin8eOUY6z4kQTV+H1rJFq9A0j/g= user@example.com
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAfphCpxrTPNXj5akk+9EEsClepCi9YpOiFI4ZSGAoff user@example.com
The corresponding private keys in unencrypted OpenSSH format.
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS 1zaGEyLW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQR2EsTAXSFIjKFJI/pVXfN4m7GmN6dN iQzMHxWCpStfEP1L90l9Wk0Was9wiYp/HjlGOs+JEE1fh9ayRavQNI/4AAAAsIe2LKKHti yiAAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBHYSxMBdIUiMoUkj +lVd83ibsaY3p02JDMwfFYKlK18Q/Uv3SX1aTRZqz3CJin8eOUY6z4kQTV+H1rJFq9A0j/ gAAAAhAKmf94rpamMP+aNnxCYDbON89NvLPUyBYrC1xsjAZEqgAAAAEHVzZXJAZXhhbXBs ZS5jb20BAgMEBQYH -----END OPENSSH PRIVATE KEY-----
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAMwAAAAtzc2gtZW QyNTUxOQAAACAH6YQqca0zzV4+WpJPvRBLApXqQovWKTohSOGUhgKH3wAAAJjWQDOb1kAz mwAAAAtzc2gtZWQyNTUxOQAAACAH6YQqca0zzV4+WpJPvRBLApXqQovWKTohSOGUhgKH3w AAAEA+Z4sIp9KQBSA7v5ATxTrzz9Tmv+764xOuTaAAYrWxCQfphCpxrTPNXj5akk+9EEsC lepCi9YpOiFI4ZSGAoffAAAAEHVzZXJAZXhhbXBsZS5jb20BAgMEBQ== -----END OPENSSH PRIVATE KEY-----
<type-name> <base64-encoded-ssh-public-key>[ <comment>]where
<type-name> is selected from an approved list
(we provide support for
ecdsa-sha2-nistp256 and ssh-ed25519 here).
The optional comment is usually of the form user@hostname.
The <base64-encoded-ssh-public-key> value is computed as described in [RFC4716] but in one line and without the BEGIN/END delimiters.
This public key format is explained in more detail by CoolAJ86 at [ONEAL-PUBLIC].
The private key is a "proprietary" OpenSSH format, encoded like a PEM file [RFC1421] but the content is not ASN.1 DER. CoolAJ86 explains the structure very well in [ONEAL-PRIVATE]. We got some more hints from the OpenSSH portable code at [OPENSSH-SSHKEY]. See also the comments in the C# code.
For reference, the known test keys above have the following hex-encoded components:
Private key:ae63a9e08d44ccbfc5d04ad45e936b968021f824b5717d41a6ccdb021317e551Public key:daff2e9da0ea27a2315f3fad7c2b2837de77c31a80a8beb488df8f2f4fcc30e8
Private key:a99ff78ae96a630ff9a367c426036ce37cf4dbcb3d4c8162b0b5c6c8c0644aa0Public key:047612c4c05d21488ca14923fa555df3789bb1a637a74d890ccc1f1582a52b5f
10fd4bf7497d5a4d166acf70898a7f1e39463acf89104d5f87d6b245abd0348ff8
The C# code: SSHkeys.cs.
Use the SSHKeys.GenSSHKeys method to generate a pair of ECC public and private keys in OpenSSH format.
More instructions in the source code.
Set useKnownTest = true to output the known test keys as shown above.
Otherwise a pair of random keys will be generated.
Comment out the line Trace.Listeners.Clear(); in Program.Main to show debugging output.
Generate a pair of ECC keys in SSH format.
public static void GenSSHKeys( Ecc.CurveName curveName, string newprikeyfile, string newpubkeyfile, string userHostName = "", bool useKnownTest = false )
Ecc.CurveName.Ed25519 or Ecc.CurveName.P_256 only.
SSHKeys.GenSSHKeys(Ecc.CurveName.P_256, "knownprikey_ecdsa256.pem", "knownpubkey_ecdsa256.pub", "user@example.com", useKnownTest: true); SSHKeys.GenSSHKeys(Ecc.CurveName.Ed25519, "newprikey_ed25519.pem", "newpubkey_ed25519.pub", "user@example.com");
To contact us or comment on this page, please send us a message.
This page first published 12 January 2024. Last updated 15 August 2025
