1

Initially we were using OpenSSL 0.9.8e to import the certificate. This version of OpenSSL used to create the Private key Bio using the header "-----BEGIN RSA PRIVATE KEY-----". now we have upgraded the OpenSSL to 1.0.1. in this version of OpenSSL when we import a certificate, the Private Key Bio is creates using the header "-----BEGIN PRIVATE KEY-----".

This difference is causing the issue in exporting the certificate to Other devices.

Can somebody please help me to debug this issue?

Thanks in advance, Azeem

Azeem Sheikh
  • 31
  • 3
  • possible duplicate of [How do i convert a private key to an RSA private key?](http://stackoverflow.com/questions/17733536/how-do-i-convert-a-private-key-to-an-rsa-private-key) – vzamanillo Jan 10 '14 at 11:15
  • Above mentioned thread contains the solution but it is the OpenSSL command to get the old style key. I was hoping for the code in OpenSSL which is causing this particular issue. – Azeem Sheikh Jan 10 '14 at 12:44
  • Exporting certs sounds ok, but why would you want to distribute a private key for heaven's sake? – Maarten Bodewes Jan 11 '14 at 02:43

1 Answers1

0

See PEM_write_bio_PrivateKey and PEM_write_bio_RSAPrivateKey. I'm not sure when it occurred, but its likely due to this change (from https://www.openssl.org/docs/crypto/pem.html):

The old PrivateKey write routines are retained for compatibility. New applications should write private keys using the PEM_write_bio_PKCS8PrivateKey() or PEM_write_PKCS8PrivateKey() routines because they are more secure (they use an iteration count of 2048 whereas the traditional routines use a count of 1) unless compatibility with older versions of OpenSSL is important.

The PrivateKey read routines can be used in all applications because they handle all formats transparently.

jww
  • 97,681
  • 90
  • 411
  • 885
  • So does that mean I wont be able to get the older format of certificate with newer OpenSSL code. is it possible somehow to disable the OpenSSL code which is causing the change of Key format and generate the key format as it was done in older OpenSSL? – Azeem Sheikh Jan 15 '14 at 13:25