Replace the existing key pair for an Amazon EC2 instance

There is no risk at all and no need to restart your EC2 instance to change the key pair. All you have to do is create a new key pair, obtain its RSA secret, and edit ~/.ssh/authorized_keys in EC2 instance.

WitCentre will assist you to change your existing key pair for an Amazon EC2 instance in this quick article. Following are the steps to complete the task.

1. Create a new Key Pair
2. Obtain the RSA secret
3. Edit ~/.ssh/authorized_keys in EC2 instance
   

1. Create a new Key Pair

Here is how you can create a new key pair to replace the existing key pair for an Amazon EC2. Follow the steps below.

1. Navigate to https://console.aws.amazon.com/ec2/
2. Go to NETWORK & SECURITY section in left side navigation panel and click on Key Pairs.
   
   
   
   
3. Choose Create Key Pair.
   
   
   
4. Give a name to your new key pair (e.g. my-new-key-pair). Then, choose pem as the file format (since we consider using this with OpenSSH) and click Create Key Pair.
   
   
   

After creating, the private key file (my-new-key-pair.pem) will automatically be downloaded. Keep it secure since it will be the key for your instance.

2. Obtain the RSA secret

Open a terminal with 'Ctrl + Alt + t' and navigate to where the private key file was downloaded. Then do the following steps.

1. Execute 'chmod 400 my-new-key-pair.pem'. This allow only for you to read this private key file.
2. Execute 'ssh-keygen -f my-new-key-pair.pem -y'.This will output the RSA secret that we need in the next step.
3. Copy the output full value from the terminal.
   

3. Edit ~/.ssh/authorized_keys in EC2 instance

Now, our new private key is ready. Let's replace it with the old one.

Open a new terminal and navigate to where you have saved your old key pair. Then follow the steps below.

1. Execute 'ssh -i old-key-pair.pem username@instance-ip' command to login in to the EC2 using old key pair.
2. Execute 'sudo vi ~/.ssh/authorized_keys' after you have logged in.
3. Since you have opened it using vi, do following,
1. Press 'Insert'
2. Delete your old RSA secret there (using Delete or Backspace).
   (You may comment that value in file itself or copy it locally to avoid unexpected errors!)
   
3. Paste the secret you copied in step 3 of the 2nd task in this article.
4. Press Esc.
5. Type :wq and hit Enter to save newly added value.
   
4. Open a new terminal (DO NOT close current terminal) and navigate to where your new private key file (my-new-key-pair.pem) exists.
5. Then, try login in using your new private key using 'ssh -i my-new-key-pair.pem username@instance-ip' command.
   

You have successfully replaced your key pair for an Amazon EC2 with a new key pair now! If you are unable to login in with the new key pair, there should be something wrong that you have done mistakenly. If so, you may redo the steps above carefully or you may restore the old RDS secret in the ~/.ssh/authorized_keys file back. Therefore, until you can login in with the new key pair, do not close your terminal of the login session with the old key pair. Otherwise, you may lost login access to your EC2 instance.

Hope you could grab some knowledge from this short article. We are to share more articles like this. You can get them easily by subscribing WitCentre. You can comment below and even contact us for a help via the contact form.