Your browser does not allow storing cookies. We recommend enabling them.

SSH Tectia


ssh-keygen-g3 — authentication key pair generator


ssh-keygen-g3 [options...]
[key1 key2...]


ssh-keygen-g3 (ssh-keygen-g3.exe on Windows) is a tool that generates and manages authentication keys for Secure Shell. Each user wishing to use a Secure Shell client with public-key authentication can run this tool to create authentication keys. Additionally, the system administrator can use this to generate host keys for the Secure Shell server.

By default, if no path for the key files is specified, the key pair is generated under the user's home directory ($HOME/.ssh2 on Unix, "%USERPROFILE%\Application Data\SSH\UserKeys" on Windows). If no filename is specified, the key pair is likewise stored under the user's home directory with such filenames as id_dsa_1024_a and


The following options are available:

-1 file

Converts a key file from the SSH1 format to the SSH2 format.

-b bits

Specifies the length of the generated key in bits (default: 2048).

-B num

Specifies the number base for displaying key information (default: 10).

-c comment

Specifies a comment string for the generated key.

-D file

Derives the public key from the private key file.

-e file

Edits the specified key. Makes ssh-keygen-g3 interactive. You can change the key's passphrase or comment.

-F file

Dumps the fingerprint of the given public key. By default, the fingerprint is given in the SSH Babble format, which makes the fingerprint look like a string of "real" words (making it easier to pronounce). The format can be changed with the --fingerprint-type option.

-H, --hostkey

Stores the generated key pair in the default host key directory (/etc/ssh2 on Unix, "C:\Program Files\SSH Communications Security\SSH Tectia\SSH Tectia Server" on Windows). Specify the -P option to store the private key with an empty passphrase.

-i file

Loads and displays information on the key file.

-p passphrase

Specifies the passphrase for the generated key.


Specifies that the generated key will be saved with an empty passphrase.


Hides the progress indicator during key generation.

-r file

Adds entropy from file to the random pool. If file contains 'relatively random' data (i.e. data unpredictable by a potential attacker), the randomness of the pool is increased. Good randomness is essential for the security of the generated keys.

-t dsa | rsa

Selects the type of the key. Valid options are dsa (default) and rsa.

-x file

Converts a private key from the X.509 format to the SSH2 format.

-k file

Converts a PKCS #12 file to an SSH2-format certificate and private key.

-7 file

Extracts certificates from a PKCS #7 file.

--fingerprint-type [ =babble | babble-upper | pgp-2 | pgp-5 | hex | hex-upper ]

Specifies the output format of the fingerprint. If this option is given, the -F option and the key filename must precede it. The default format is babble.

See the section called “Examples” for examples of using this option.


Generates the key using the FIPS mode for the cryptographic library. In the FIPS mode, only DSA keys of 1024 bits and RSA keys of at least 1024 bits can be generated, and the keys must have non-empty passphrases. By default (if this option is not given), the key is generated using the standard mode for the cryptographic library.

--fips-crypto-dll-path PATH

Specifies the location of the FIPS cryptographic DLL.

--import-public-key infile outfile

Attempts to import a public key from infile and store it to outfile in SSH2 native format.

--import-private-key infile outfile

Attempts to import an unencrypted private key from infile and store it to outfile in SSH2 native private key format.

--import-ssh1-authorized-keys infile outfile

Imports an SSH1-style authorized_keys file infile and generates an SSH2-style authorization file outfile, and stores the keys from infile to generated files into the same directory with outfile.

--overwrite [ =yes | no ]

Overwrite files with the same filenames. The default is to overwrite.

--set-hostkey-owner-and-dacl file

On Windows, sets the correct owner and DACL (discretionary access control list) for the host key file. This option is used internally when a host key is generated during SSH Tectia Server installation.


Displays version string and exits.

-h, --help

Displays a short summary of command-line options and exits.


Create a 1024-bit RSA key pair using the cryptographic library in the FIPS mode and store the key pair in the default user key directory with filenames newkey and

$ ssh-keygen-g3 --fips-mode -t rsa -b 1024 newkey

Convert an SSH1 key oldkey to SSH2 format:

$ ssh-keygen-g3 -1 oldkey

Display the fingerprint of a server host public key in SSH babble (default) format:

$ ssh-keygen-g3 -F
Fingerprint for key:

Display the fingerprint of a server host public key in hex format:

$ ssh-keygen-g3 -F --fingerprint-type=hex
Fingerprint for key:




What to read next:

  • Reduce Secure Shell risk. Get to know the NIST 7966.

    The NISTIR 7966 guideline from the Computer Security Division of NIST is a direct call to action for organizations regardless of industry and is a mandate for the US Federal government.
    Download now
  • ISACA Practitioner Guide for SSH

    With contributions from practitioners, specialists and SSH.COM experts, the ISACA “SSH: Practitioner Considerations” guide is vital best practice from the compliance and audit community.
    Download now