Generating DSA PEM key pairs

I needed a pair of DSA keys recently, not standard ssh DSA keys but PEM keys. Creating DSA PEM keys is something best suited to openssl but it can be a pain in the butt to get the params set up right. And othing creates key pairs quite as easily as ssh-keygen so I thought, what the heck, let’s combine the best of both worlds.

I figured I’d keep my new keys in ~/.ssh where my RSA keys already live:

$ cd ~/.ssh

The next step is to create an ssh DSA key pair with ssh-keygen. -t sets the type (dsa in this case) while -b sets the number of bits (dsa are limited to 1024):

$ ssh-keygen -t dsa -b 1024

You’ll be asked for a file name and location (default is fine), and ask you for a passphrase. Unless you want the client side to always be prompted for a passphrase, I’d leave this blank.

Then we’ll use openssl to convert the ssh private dsa to a PEM. The default dsa we just created would be called id_dsa. If you named it otherwise, then change this line accordingly after the -in option:

$ openssl dsa -in id_dsa -outform pem > dsa_priv.pem

Now we have a private DSA PEM that we can use to create our public PEM:

$ openssl dsa -in dsa_priv.pem -pubout -out dsa_pub.pem

In your ~/.ssh folder you’l now have dsa_priv.pem and dsa_pub.pem. Keep the private DSA PEM in a safe place and use the dsa_pub.pem as necessary for your client needs.


Adam Merrifield


Leave a Reply