15

I'm running this command on my pc (Openssl version: 1.0.1) :

openssl pkcs8 -inform DER -in file.key -passin pass:12345678a -outform PEM -out key.pem

and i got this key.pem: 

-----BEGIN PRIVATE KEY-----
MIICdwIBADANBgkqhkiG9w0BAQEFAASCAmEwggJdAgEAAoGBANCFPVXwO+6qQdOs
...
wVauPfh0cGEf1Kc=
-----END PRIVATE KEY-----

But when i run the same command it from my server (Openssl version: 0.9.8e-fips-rhel5) i get this output:

-----BEGIN RSA PRIVATE KEY-----
MIICXQIBAAKBgQDQhT1V8DvuqkHTrMPFUUAXUl0ihDGoiD86SqK8Z3n19yp1VrJf
...
zHY0343VXnpM2opKwG2E1zgfHfbcLMFWrj34dHBhH9Sn
-----END RSA PRIVATE KEY-----

The Base64 inside is differente and also the headers:

-----BEGIN PRIVATE KEY-----
-----BEGIN RSA PRIVATE KEY-----

The first one works for me, how could i get the -----BEGIN PRIVATE KEY----- output on the 0.9.8 version?

I found this on OpenSsl patch notes:

Change default private key format to PKCS#8.

so, that could be the main issue, i hope someone could help me with this, i dont find the way to get the private key but not the BEGIN RSA PRIVATE KEY one.

Thanks

Logan
  • 151
  • 1
  • 1
  • 3

1 Answers1

31

Do openssl pkcs8 -topk8 to convert a private key from traditional format to pkcs#8 format.

This format 

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

is referred to as "SSLeay format" or "traditional format" for private key.

I'm not sure which format your key is, so I'll demonstrate the idea with a private key generated by genrsa. When you do genrsa in OpenSSL 0.9.8x, the generated key is in traditional format. That is, after

openssl genrsa -out file.key 1024

you'll get a rsa key in traditional format

-----BEGIN RSA PRIVATE KEY-----
MIICWwIBAAKBgQC3TyaSzsJO92/Ahq5rxRI1T0JSC0iF...
-----END RSA PRIVATE KEY-----

Then do pkcs8 with -topk8 to convert this key from traditional format to pkcs#8 format.

openssl pkcs8 -topk8 -inform pem -in file.key -outform pem -nocrypt -out file.pem

Here's what you'll get:

-----BEGIN PRIVATE KEY-----
MIICdQIBADANBgkqhkiG9w0BA...
-----END PRIVATE KEY-----

All of the above are done with OpenSSL 0.9.8x. It tells you how to generate PKCS#8 format key from the traditional format key. On the other hand, you can always run this on OpenSSL 1.0.1 to make the key compatible with the older version:

openssl rsa -in file.pem -text > key.pem
Chiara Hsieh
  • 411
  • 3
  • 5
  • thank you, it worked for me, i added the second proc and now it runs – Logan Jun 11 '13 at 18:20
  • On the last item `-text` is not needed; just read into `openssl rsa` and write out produces the "legacy" (PKCS#1) format as requested. `-text` *adds* human-readable comments that may be helpful in some cases, but they are not in the output formerly produced by `pkcs8` (from8) as the question requests. – dave_thompson_085 Jul 09 '15 at 17:53
  • Just for completeness, `-----BEGIN RSA PRIVATE KEY-----` is a PKCS#1 encoding where the data does not include the type of key. PKCS#8 can encode any type of key, but PKCS#1 does not include the type of key, thus the text header indicates the key type. – Lawrence Dol Jul 14 '16 at 21:29
  • @LawrenceDol: PKCS #1 (https://tools.ietf.org/html/rfc8017#appendix-A.1.2) doesn't specify any ASCII base64 encoding, and it also doesn't specify the `-----BEGIN RSA PRIVATE KEY-----` header. Do you have a link to a standard which specifies this header? – pts May 01 '20 at 21:47
  • 1
    @pts: the (generic) header+base64+linebreaks+trailer format comes from PEM (RFC1421 4.3.2.4 and 4.4); there is no standard for OpenSSL 'traditional' formats `{RSA,DSA,EC} PRIVATE KEY`, although for RSA the content is PKCS1, ECC is SEC1 or RFC5915 and DSA is just EAY's choice. The 'new' (PKCS8) formats `PRIVATE KEY` and `ENCRYPTED PRIVATE KEY` are specified in https://tools.ietf.org/html/rfc7468 sections 10 and 11, referencing RFC5208 and RFC5958. – dave_thompson_085 Oct 15 '20 at 01:42