sshopensslpkissh-keygencfssl

Can I use ssh-keygen and cfssl interchangeably for ssh login?


It's slightly embarrassing to ask this, but here it goes: What's the difference between generating public/private keys via ssh-keygen and cfssl?

I've successfully used ssh-keygen to create pub/private key credentials that can be used to ssh into a server. I've also successfully used cfssl to create a private key & certificate for a web site. However, I can't seem to figure out how to use cfssl to do what ssh-keygen does.

Since they both can be used to generate public/private RSA 4096 keys, it seems as if they could be used interchangeably. Unfortunately, no matter how many different combinations I try, or how much I search the interwebs, I can't seem to find a working example.

I'm starting to think that there's something I fundamentally don't understand regarding each tool's approach to encryption.

People of stackoverflow land... have mercy on me, and please point out the error of my ways. Your help is truly appreciated.


Solution

  • No, these two types of keys aren't interchangeable. RSA is an algorithm for encryption and digital signatures. It is used in both TLS (for web sites) and SSH, but those two protocols, while they both support RSA keys, use the algorithm differently.

    A protocol specifies a (hopefully secure) technique for using standard algorithms and protecting data with it, and there are many secure ways to use RSA to sign data, which differ based on the protocol. Similarly, both TLS and SSH can use AES-GCM to encrypt and authenticate data, but they will use it differently.

    Moreover, even if you could generate keys for one with the other, you generally don't want to reuse keys for different purposes. That's because in some cases, an attacker can capture a valid message in one protocol and use it in the other protocol to impersonate the legitimate party.

    Do note that the private key formats typically used by OpenSSH and TLS implementations are often the same, but the public key formats are not. An SSH public key is going to look totally different than an X.509 public key used with TLS.

    If you need to create keys for use with SSH, you should use ssh-keygen, and if you need to create a key for use with your web server or another TLS server, use a tool for that, like openssl or cfssl.