Skip to main content

Scenario 4: reusing existing OpenSSH RSA keys

Some users have been using the same OpenSSH RSA key for a long time and feel happy to keep them.

The pros: after transfer, copy your original certificates (id_rsa) to a laser disc and store it in a safe place. This is a very good way to enhance security and have a backup of your SSH keys.
The cons: not all OpenSSH formats are supported and it seems that the Feitian PKI is a little bit picky. DSA format is not supported. This solution is not considered perfectly secure. If your computer is compromised, the secret key may be compromised.

Reusing OpenSSH RSA keys

Before all, you should know that the Feitian PKI only accepts 1024bit or 2048bit RSA key. OpenSSH DSA keys are not accepted.

Save the OpenSSH private RSA key in PEM format:

$ openssl rsa -in ~/.ssh/id_rsa -outform pem > id_rsa.pem

Transfer the key to to smartcard:

$ pkcs15-init --store-private-key id_rsa.pem --auth-id 01 --pin 0000