1

Am new to SSL certificates. I have a private-key and certificate generated using the below command:- openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:4096 -keyout private.key -out certificate.crt

Here, I assume the output files private.key and certificate.crt are in pem format(pkcs#1).

Now, when i try to convert the private key to pkcs8 format using the below command:- openssl pkcs8 -in private.key -topk8 -nocrypt -out pkeypk8.pk8

There is absolutely no difference between private.key and pkeypk8.pk8 file. The diff is nil. Now, i'm not sure if I using the openssl commands correctly. What is expected when a PEM format private-key is converted to pkcs8 format?

Hemanth
  • 5,035
  • 9
  • 41
  • 59
  • 2
    Your private key already is in pkcs8 format based on the command you used to create it. Also, pkcs1 is not PEM - pkcs is a structured container while PEM is an encoding. pkcs1 can be encoded as PEM or DER. – Steffen Ullrich Dec 20 '21 at 09:34
  • 2
    **You assume wrong.** The files output by `openssl req -x509 -newkey -nodes -keyout -out` are PEM, but the certificate is just a certificate (PKCS1 does not apply to certificates) and for OpenSSL 1.0.0 up (since 2010) the privatekey is PKCS8-unencrypted, which is the same format created by `openssl pkcs8 -topk8 -nocrypt`. (Before 2010, `req -newkey -nodes -keyout` _did_ write privatekey in 'legacy' format, which for RSA was PKCS1.) – dave_thompson_085 Dec 20 '21 at 09:36
  • Thanks a lot for the clarifications. Can you please point me to any good content which I can read as a beginner to understand more about the encoding and formats. – Hemanth Dec 20 '21 at 10:47
  • 1
    https://datatracker.ietf.org/doc/html/rfc7468 – President James K. Polk Dec 20 '21 at 16:32

0 Answers0