How to convert a private key to an RSA private key?

Question

Let me explain my question first. I bought a certificate from a CA and used the following format to generate the csr and the private key:

openssl req -new -newkey rsa:2048 -nodes -keyout server.key -out server.csr

When I open the server.key file, I see that it begins with "-----BEGIN PRIVATE KEY-----"

I use the SSL cert on my server and everything looks fine.

Now I want to upload the same cert to AWS IAM so that I can use it for by beanstalk load balancer. I use the following command from this aws doc http://docs.aws.amazon.com/IAM/latest/UserGuide/InstallCert.html#SubmitCSRCertAuth

iam-servercertupload -b public_key_certificate_file  -k privatekey.pem -s certificate_object_name

I change the cert file names as required but keep getting this error: "400 MalformedCertificate Invalid Private Key."

The interesting thing is, on the aws doc page, the sample private key that they show starts with "-------Begin RSA Private Key--------"

Is there a way to convert my private key to an RSA private key using openssl?

score 192 · Accepted Answer · edited Jun 30 '23 at 14:23

192

Newer versions of OpenSSL say BEGIN PRIVATE KEY because they contain the private key + an OID that identifies the key type (this is known as PKCS8 format). To get the old style key (known as either PKCS1 or traditional OpenSSL format) you can do this:

openssl rsa -in server.key -out server_new.key

If you are using OpenSSL 3, you need to add -traditional :

openssl rsa -in server.key -out server_new.key -traditional

Alternately, if you have a PKCS1 key and want PKCS8:

openssl pkcs8 -topk8 -nocrypt -in privkey.pem

edited Jun 30 '23 at 14:23

hilnius

2,165
2
19
30

answered Jul 18 '13 at 21:56

Paul Kehrer

13,466
4
40
57

1

This is also the solution to getting weird error messages like `Invalid PEM structure, '-----BEGIN...' missing.` from tools like Cyberduck while pure SSH with the same key is working. – Daniel Oct 18 '13 at 05:58
This worked for me. Windows users can get OpenSSL here: http://slproweb.com/products/Win32OpenSSL.html – ben Feb 05 '14 at 21:28
1

Thank you! I was getting `A client error (MalformedCertificate) occurred when calling the UploadServerCertificate operation: Unable to parse certificate. Please ensure the certificate is in PEM format.` and running this on my private key fixed it! – philfreo Jun 19 '14 at 23:07
4

For reference: see http://stackoverflow.com/q/20065304/53974 for a more complete explanation. – Blaisorblade Jul 08 '15 at 12:47
2

how do we do the opposite of this? I need a `Private Key` from an `RSA Private Key`? – edthethird Aug 31 '15 at 15:06
2

`openssl pkcs8 -topk8 -nocrypt -in privkey.pem` will write a PKCS8 to STDOUT – Paul Kehrer Aug 31 '15 at 16:28
what should the old style say `BEGIN RSA PRIVATE KEY`? – blamb Nov 25 '22 at 19:59
**update:** in OpenSSL 3.0.0 (released 2021) up `openssl rsa` now defaults to PKCS8; to get PKCS1 use `openssl rsa -traditional` _or_ `openssl pkey -traditional` (the lattter has been an alternative since 1.0.0 in 2010) – dave_thompson_085 Mar 07 '23 at 22:38

David Tonhofer · Answer 2 · 2017-06-27T08:39:04.997

This may be of some help (do not literally write out the backslashes '\' in the commands, they are meant to indicate that "everything has to be on one line"):

It seems that all the commands (in grey) take any type of key file (in green) as "in" argument. Which is nice.

Here are the commands again for easier copy-pasting:

openssl rsa                                                -in $FF -out $TF
openssl rsa -aes256                                        -in $FF -out $TF
openssl pkcs8 -topk8 -nocrypt                              -in $FF -out $TF
openssl pkcs8 -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA256 -in $FF -out $TF

and

openssl rsa -check -in $FF
openssl rsa -text  -in $FF

The "graphml" file of the image (which can be edited with [yworks yed](https://www.yworks.com/products/yed) for example) can be found [here](https://github.com/dtonhofer/diagrams/tree/master/OpenSSL_Commands) — David Tonhofer, Apr 07 '18 at 09:40

score 29 · Answer 3 · edited Jan 21 '21 at 16:13

29

To Convert BEGIN OPENSSH PRIVATE KEY to BEGIN RSA PRIVATE KEY:

ssh-keygen -p -m PEM -f ~/.ssh/id_rsa

edited Jan 21 '21 at 16:13

Yuri

4,254
1
29
46

answered Jun 14 '19 at 05:53

ahirapara

1,029
10
9

3

This is exactly what I needed. Thanks! – RossD Sep 05 '19 at 18:46
This behaviour is documented indirectly on the ssh-keygen manpage, but the usage of the -m flag is actually not mentioned for other operation modes than -i and -o – ikrabbe Jun 19 '20 at 13:45
5

Beware that this would overwrite the key file. So make a backup first. – Vadzim Jun 22 '21 at 20:41
Is there a way to specify a new output file with this command? – Eddie Jul 07 '23 at 17:57

How to convert a private key to an RSA private key?

3 Answers3

Linked