DEV Community


OCI API - What should you know about your keys ?

abhilash8 profile image Abhilash Kumar Bhattaram ・3 min read

Working with Oracle Cloud Infrastructure (OCI) API operations generally requires 3 keys to work which are 1 Private Key and its corresponding 2 Public Keys (one ssh public key and one openssl API Key ).

Lets take a brief understanding about these keys

  • Private Keys - As the name indicates it's private to the user and it is the KEY to be used access ssh/API operations you could use a password or password less authentication based on your preference
  • ssh Public Keys - When you public key is added to the ~/.ssh/authorized_keys to the server you wish to connect, it authenticates only using corresponding the private key
  • API Public Keys - These are special type of public keys used to perform any kind of API operations , such as managing Oracle Cloud Compute Instances

Option 1 ( NEW Keys via OCI CLI )

This is the Oracle recommended way of setting up keys

1) Set up OCI CLI using

2) Run this command

# oci setup keys 

However there are other alternatives to do the same , the reason for this is that sometimes I would like to use my existing key
the below options would explain them

Option 2 ( Linux Users )

1) Generate SSH Keys from a Linux terminal

# ssh-keygen -b 2048 -t rsa -f keyname_oci 
# openssl rsa -pubout -in keyname_oci -out keyname_api_oci_openssl.pem

[ NOTE : If you already have a private key just add the key name to the -in section in the above openssl command ]

The commands will generate files 

keyname_oci                     This is your Private key - KEEP IT SAFE                     This is ssh Public Key , can be shared to people to let you access to servers 
keyname_api_oci_openssl.pem     This is API Public Key , this needs to be added to the API key in OCI User Menus

Option 3 ( For Mac users to use your existing key )

This is a special case where we have Apple laptop Mac created keys, I ran into this issue myself and found a hard way out of it,I wanted to use the mac generated key but the pem formats from Mac and Linux are very different and the API keys were not recognised by OCI , so I followed the below steps to convert the mac Private key to Linux format and then create an API key from it.

1) Copy your mac generated private key file

# cp id_rsa keyname_oci

2) Copy the keyname_oci to a Linux Box

# openssl req -x509 -newkey rsa:2048 -keyout keyname_oci -out public.pem -nodes    [ just give enter to the prompts , this will overwrite the file keyname_oci]


NOTE : Your could use this if you need to have a time limit on the validity of the Private key 
# openssl req -x509 -days 365 -newkey rsa:2048 -keyout keyname_oci -out public.pem -nodes    

3) Convert to openssl to get API key

# openssl rsa -pubout -in keyname_oci -out keyname_api_oci_openssl.pem

4) The public.pem created is not needed , we don't need that format for API operations.

Key Conversion pem to ppk formats

In case you need to use your private key created in any of the steps above from a Windows Desktop , you can always use a Putty Gen to convert it to a ppk format

1) Install PuttyGen software in Windows
2) Open Putty Gen
3) Import the Private Key - since you are converting the format you need to import You could choose to use a password here if needed
4) Save Private Key as ppk file

Key Conversion ppk to pem formats

Lets say you have created the private key in Windows ppk format and would like to convert to pem ,
you could do the below

1) Install PuttyGen software in Linux or Mac
2) run the following command

# puttygen keyname_oci.ppk -O private-openssh -o keyname_oci.pem

I hope this post was informative


As long as you have the private key there are numerous options to convert it into other formats.

Discussion (0)

Editor guide