Convert PEM traditional private key to PKCS8 private key

Question

I've been given a PEM file with a certificate and pub/private keys. Specifically it includes the headers

-----BEGIN CERTIFICATE-----   
-----END CERTIFICATE-----   
-----BEGIN RSA PRIVATE KEY-----   
-----END RSA PRIVATE KEY-----   
-----BEGIN RSA PUBLIC KEY-----   
-----END RSA PUBLIC KEY-----

in that specific order.

My understanding is without a header following the BEGIN RSA PRIVATE KEY header that this pem file contains a private key in the traditional format (PKCS1) without encryption.

I need to convert this private key to a DER encoded PKCS8 unencrypted format for use with java server code, specifically PKCS8EncodedKeySpec. I've tried OpenSSL, both with rsa and pkcs8 commands, but with no luck. There's no specific need to use openssl if there is something easier.

Specifically:

openssl rsa -in IServer_Key.orig.prikey.pem -out IServer_Key.pkcs8.pem
openssl rsa -in IServer_Key.orig.prikey.pem -out IServer_Key.pkcs8.pem -pubin openssl pkcs8 -in IServer_Key.orig.prikey.pem -out IServer_Key.pkcs8.pem -nocrypt

I've also tried specifying the inform and outform without success.

user@ubuntu:~/TestCerts$ openssl rsa -in IServer_Key.pem -out IServer_Key.pkcs8.pem -pubin 
unable to load Public Key 
5925:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:
Expecting: PUBLIC KEY

user@ubuntu:~/TestCerts$ openssl rsa -in IServer_Key.orig.prikey.pem -out IServer_Key.pkcs8.pem 
unable to load Private Key 
5993:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1316: 
5993:error:0D06C03A:asn1 encoding routines:ASN1_D2I_EX_PRIMITIVE:nested asn1 error:tasn_dec.c:828:
5993:error:0D08303A:asn1 encoding routines:ASN1_TEMPLATE_NOEXP_D2I:nested asn1 error:tasn_dec.c:748:Field=n, Type=RSA 
5993:error:0D09A00D:asn1 encoding routines:d2i_PrivateKey:ASN1 lib:d2i_pr.c:99: 
5993:error:0907B00D:PEM routines:PEM_READ_BIO_PRIVATEKEY:ASN1 lib:pem_pkey.c:125:

user@ubuntu:~/TestCerts$ openssl pkcs8 -in IServer_Key.orig.prikey.pem -out IServer_Key.pkcs8.pem -nocrypt 
Error decrypting key 
6022:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:650:
Expecting: PRIVATE KEY

Any help would be very much appreciated at this point.

I removed java tag because it's not at all restricted to java and hopefully it will get a wider audience — cfi, May 09 '12 at 11:13
I think most of the OpenSSL commands expect a single object per file (some hand waiving). Create a second file, and only add the private key to it (including the `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----`). Then try your commands. — jww, May 11 '14 at 10:47
[Openssl pkcs8 default format gives RSA PRIVATE KEY](https://superuser.com/questions/606215/openssl-pkcs8-default-format-gives-rsa-private-key). — jww, May 11 '14 at 10:49
This question appears to belong on another site in the Stack Exchange network because its not about programming. Perhaps [Super User](https://www.superuser.com/). — jww, May 11 '14 at 10:51

score 113 · Answer 1 · edited Oct 27 '17 at 00:49

113

Try using following command. I haven't tried it but I think it should work.

openssl pkcs8 -topk8 -inform PEM -outform DER -in filename -out filename -nocrypt

edited Oct 27 '17 at 00:49

Franklin Yu

8,920
6
43
57

answered Dec 05 '11 at 08:30

Nilesh

5,955
3
24
34

15

This gives me: Error decrypting key 140139164128912:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:701:Expecting: PRIVATE KEY – Konrad Garus Jul 15 '16 at 08:30
both private key before and after use same public key right? – Panup Pong Aug 31 '18 at 03:52
1

Just a highlight - using nocrypt is not a best practice and should be avoided as far as possible! Doco here - https://www.openssl.org/docs/man1.0.2/man1/openssl-pkcs8.html – buch11 Mar 26 '20 at 06:34
Is this meant to output a file that can't be read in a text editor anymore? – theonlygusti Mar 09 '21 at 00:13

Sergiu Marsavela · Answer 2 · 2016-09-19T21:02:35.947

86

To convert the private key from PKCS#1 to PKCS#8 with openssl:

# openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in pkcs1.key -out pkcs8.key

That will work as long as you have the PKCS#1 key in PEM (text format) as described in the question.

edited Sep 19 '16 at 21:02

answered Sep 05 '16 at 09:21

Sergiu Marsavela

1,051
8
7

1

This is the command I was looking for when I needed to connect Google Data Studio to GCP SQL Postgres DB. Thanks! – user1498611 Jul 27 '22 at 13:13
1

I came to this question looking for a solution to import a PEM certificate into Azure's Vault. That helped – gitrust Feb 23 '23 at 15:46
1

I wanted pem output, thanks – Ali Zarei May 17 '23 at 13:23

score 0 · Answer 3 · answered Aug 22 '23 at 16:49

I know this is an old article but I had the same requirement (ie Convert from PKCS#1 to PKCS#8) and I landed here first.

After some research I found the answer here, which I thought would be worth sharing.
On this post, tytk also refers to this Very good description of PKCS#1 vs PKCS#8.

With that being said and, to summarize:

When using openssl genrsa the private key generated will be by default on PKCS#1 format.
To convert to PKCS#8, one can simply run the command openssl pkey as follows:
openssl pkey -in IServer_Key.orig.prikey.pem -out IServer_Key.pkcs8.pem

score -3 · Answer 4 · answered Nov 19 '22 at 17:40

-3

Create a new certificate:

openssl req -newkey rsa:2048 -x509 -keyout key.pem -out cert.pem -sha256 -days 365

Generate decoded certificate:

openssl pkcs8 -in key.pem -out key_unencrypted.pem

answered Nov 19 '22 at 17:40

Deyvis Charles

1
1

Convert PEM traditional private key to PKCS8 private key

4 Answers4

Linked