Public-key authentication depends on compatible key formats between client tools and servers. Converting an SSH public key between OpenSSH and SSH2 (SECSH) formats enables reuse of the same key with different clients, appliances, and managed services.

The ssh-keygen utility supports exporting an OpenSSH public key to SSH2 format with the ‑e option and importing an SSH2 public key back to OpenSSH format with the ‑i option. These conversions operate on the key data and leave the original key files unchanged, which makes it safe to write the converted result to a separate file.

Key conversions must be handled carefully to avoid exposing sensitive private keys or breaking existing access. Focusing on public key files (usually with a .pub extension) reduces risk, and verifying the converted file type ensures the resulting key matches the expected format on Linux, macOS, and Windows 11 environments.

Related: How to convert an SSH2 public Key to OpenSSH format
Related: How to copy an SSH public key to a server

Steps to convert SSH keys between SSH2 (SECSH) and OpenSSH formats:

  1. Launch a terminal on the system where the SSH key resides.
  2. Create an SSH key pair if no existing key is available. 
    $ ssh-keygen -t rsa -b 3072 -f ~/.ssh/id_rsa -N ""
Generating public/private rsa key pair.
Your identification has been saved in /home/user/.ssh/id_rsa
Your public key has been saved in /home/user/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:rYSEe35JdJ2VA9gtQtIFNLXwEB03TyBaM2qc+XMytks user@host
The key's randomart image is:
+---[RSA 3072]----+
|        .+OOX+=o.|
|     .   o+%+O++ |
|    . . . O.=. ..|
|     o o + .     |
|    . o S . * .  |
|     o o o . *   |
|      . +   E    |
|       .   . .   |
|            .    |
+----[SHA256]-----+

    Related: How to generate SSH key pairs

    ssh-keygen creates a key pair in OpenSSH format by default. Omit the -N "" option to set a passphrase interactively.

  3. Locate the public key file that requires conversion. 
    $ ls ~/.ssh/id_rsa.pub
/home/user/.ssh/id_rsa.pub

    Public key files typically use the .pub extension, while private key files commonly have no extension.

  4. Inspect the key file type to confirm the current format. 
    $ file ~/.ssh/id_rsa.pub
/home/user/.ssh/id_rsa.pub: OpenSSH RSA public key
  5. Export the OpenSSH public key to SSH2 (SECSH) format. 
    $ ssh-keygen -e -f ~/.ssh/id_rsa.pub
---- BEGIN SSH2 PUBLIC KEY ----
Comment: "3072-bit RSA, converted by user@host from OpenSSH"
AAAAB3NzaC1yc2EAAAADAQABAAABgQDoHU56MyREsMF0zwACah9GCn2wlrwEsiDOidrnEa
X9tjNwwju+CD7MxESYHD/cxOzPJ8hkQzE0AN3NHjIoW8w9Nk8dVHhbAyF1f5Lgzi2vb0/u
uHbB0InWeV4ni4hjnQx3TcjgQo/Rz/rdKVW/PadbVnaPBoBt3qnbMQAnVKPzTCxS7WIFbg
WAh5Y5QHSw+ESJCe/pRxx8b59FER2gJ2Jbc84eQ/HPKyYSa5da9gx+z7CsbP67U8xzSzBY
JwXAloYH/yBo/v1YIqWQQ6j6rssCdGiW4/rIOOviNWA7FWaaovh46pOrSLO/1crixivaHP
7CBlg6Q4QEZX6A9ov/C87ZB2VCY7RJqZXkLnH7F66j75GgEpOAivpGiODWRgUCbJMAGUeE
VVE2Q55DnLrexrlujxzwwiga+KxLoI+GmV1fcFRiMTAoIHkFjNob0+3q89y5yH4LAbKDcX
Fm8DR03nvpd37k3dEMlJZ7ZwinW0uMwCJBHL7ItMGHMRE2goa01jE=
---- END SSH2 PUBLIC KEY ----

    The ‑e option exports an OpenSSH key to SSH2 (SECSH) public key format.

  6. Save the converted SSH2 public key to a separate file. 
    $ ssh-keygen -e -f ~/.ssh/id_rsa.pub > id_rsa_ssh2.pub

    Writing the converted key to a new file keeps the original key intact for existing deployments.

  7. Import the SSH2 public key back into OpenSSH format when needed. 
    $ ssh-keygen -i -f id_rsa_ssh2.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDoHU56MyREsMF0zwACah9GCn2wlrwEsiDOidrnEaX9tjNwwju+CD7MxESYHD/cxOzPJ8hkQzE0AN3NHjIoW8w9Nk8dVHhbAyF1f5Lgzi2vb0/uuHbB0InWeV4ni4hjnQx3TcjgQo/Rz/rdKVW/PadbVnaPBoBt3qnbMQAnVKPzTCxS7WIFbgWAh5Y5QHSw+ESJCe/pRxx8b59FER2gJ2Jbc84eQ/HPKyYSa5da9gx+z7CsbP67U8xzSzBYJwXAloYH/yBo/v1YIqWQQ6j6rssCdGiW4/rIOOviNWA7FWaaovh46pOrSLO/1crixivaHP7CBlg6Q4QEZX6A9ov/C87ZB2VCY7RJqZXkLnH7F66j75GgEpOAivpGiODWRgUCbJMAGUeEVVE2Q55DnLrexrlujxzwwiga+KxLoI+GmV1fcFRiMTAoIHkFjNob0+3q89y5yH4LAbKDcXFm8DR03nvpd37k3dEMlJZ7ZwinW0uMwCJBHL7ItMGHMRE2goa01jE=

    The ‑i option imports an SSH2 public key into OpenSSH public key format.

  8. Save the imported OpenSSH public key to a new file for use with OpenSSH servers. 
    $ ssh-keygen -i -f id_rsa_ssh2.pub > id_rsa_openssh.pub
  9. Verify the converted key file type after the import. 
    $ file ~/id_rsa_openssh.pub
/home/user/id_rsa_openssh.pub: OpenSSH RSA public key

    Confirming the file type ensures the key matches the expected format before configuring authorized keys or client profiles.