And yet: I did read the documentation and using openssl was the solution I had come up with. Perhaps I was using a nonstandard version of ssh. Telling people to "just read the documentation" is quite condescending when they're demonstrating that they've come up with a different solution. It was years ago and I don't remember what version I was using.

Indeed, using ssh-keygen for the whole process certainly seems easier.