ssh-keygen

Generates, manages and converts authentication keys for ssh

Options

NameDescription
-AFor each of the key types (rsa, dsa, ecdsa and ed25519) for which host keys do not exist, generate the host keys with the default key file path, an empty passphrase, default bits for the key type, and default comment
-a [rounds]When saving a private key, this option specifies the number of KDF
-BShow the bubblebabble digest of specified private or public key file
-b <bits>Specifies the number of bits in the key to create
-C <comment>Provides a new comment
-cRequests changing the comment in the private and public key files
-D <pkcs11>Download the public keys provided by the PKCS#11
-E <fingerprint_hash>Specifies the hash algorithm used
-eRead a OpenSSH key file and print to stdout
-F <hostname>Search for the specified hostname (with optional port number)
-f <filename>Specifies the filename of the key file
-gUse generic DNS format when printing fingerprint resource records
-HHash a known_hosts file
-hCreate a host certificate instead of a user
-I <certificate_identity>Specify the key identity when signing a public key
-iRead an unencrypted private (or public) key file
-KDownload resident keys from a FIDO authenticator
-kGenerate a KRL file
-LGenerate a KRL file
-lShow fingerprint of specified public key file
-M <command>Use for Moduli generation
-m <key_format>Specify a key format for key generation
-N <new_passphrase>Provides the new passphrase
-n <principals>Specify one or more principals (user or host names) to be included in a certificate when signing a key
-O <option>
  • Repeatable ♾
-P <passphrase>Provides the (old) passphrase
-pRequests changing the passphrase of a private key file instead of creating a new private key
-QTest whether keys have been revoked in a KRL
-qSilence ssh-keygen
-R <hostname>Removes all keys belonging to hostname
-r <hostname>Print the SSHFP fingerprint resource record named hostname for the specified public key file
-s <ca_key>Certify (sign) a public key using the specified CA key
-t <command>Specifies the type of key to create
-UWhen used in combination with -s, this option indicates that a CA key resides in a ssh-agent(1)
-uUpdate a KRL
-V <validity_interval>Specify a validity interval when signing a certificate
-v
  • Repeatable ♾
  • Repeatable 3x
-w <provider>Specifies a path to a library that will be used when creating FIDO authenticator-hosted keys
-Y <command...>Multiple functions: find principals, match principals, check novalidate, sign, verify
-yRead a private OpenSSH format file and print an OpenSSH public key to stdout
-Z <cipher>Specifies the cipher to use for encryption when writing an OpenSSH-format private key file
-z <serial_number>Specifies a serial number to be embedded in the certificate to distinguish this certificate from others from the same CA