Skip to content

Instantly share code, notes, and snippets.

@gtaban
Last active March 28, 2024 07:37
Show Gist options
  • Save gtaban/410db2351e52ae36a2a636f3cc6f86ac to your computer and use it in GitHub Desktop.
Save gtaban/410db2351e52ae36a2a636f3cc6f86ac to your computer and use it in GitHub Desktop.

The default format of keys was changed in OpenSSL 1.0. From OpenSSL 1.0 change log:

Make PKCS#8 the default write format for private keys, replacing the traditional format. This form is standardised, more secure and doesn't include an implicit MD5 dependency. [Steve Henson]

Good explanations of the difference between the two formats: https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem

Converting RSA private key:

To convert from PKCS#8 to PKCS#1:

openssl pkcs8 -topk8 -inform pem -in file.key -outform pem -nocrypt -out file.pem

To convert from PKCS#8 to PKCS#1:

openssl rsa -in key1.pem -out key2.pem

Converting RSA public key:

To convert from PKCS#8 to PKCS#1:

openssl rsa -pubin -in <filename> -RSAPublicKey_out

To convert from PKCS#1 to PKCS#8:

openssl rsa -RSAPublicKey_in -in <filename> -pubout

Converting EC private key:

To convert from PKCS#8 to PKCS#1:

openssl ec -in ec2.pem -out ec3.pem
@wyarde
Copy link

wyarde commented Sep 12, 2019

To convert from PKCS#8 to PKCS#1:
openssl pkcs8 -topk8 -inform pem -in file.key -outform pem -nocrypt -out file.pem

This should be the other way around I believe (from PKCS#1 to PKCS#8)

@liudonghua123
Copy link

  1. rsa private key
    To convert from PKCS#1 to PKCS#8:
    openssl pkcs8 -topk8 -inform pem -in private_pkcs1.pem -outform pem -nocrypt -out private_pkcs8.pem
    To convert from PKCS#8 to PKCS#1:
    openssl rsa -in private_pkcs8.pem -out private_pkcs1.pem

  2. rsa public key
    To convert from PKCS#8 to PKCS#1:
    openssl rsa -pubin -in public_pkcs8.pem -RSAPublicKey_out -out public_pkcs1.pem
    To convert from PKCS#1 to PKCS#8:
    openssl rsa -RSAPublicKey_in -in public_pkcs1.pem -pubout -out public_pkcs8.pem

@Harsheenank
Copy link

hi,i have used the code you provided,but still im getting the ----BEGIN PRIVATE KEY----- format
is there any other solution

@jackesdavid
Copy link

you should use -traditional on your private script generation
your openssl is new and the default is to always use pkcs8

@jackesdavid
Copy link

in other words to convert your your pkcs8 to pkcs1 user

openssl rsa -in priv.pem -out private_pkcs1.pem -traditional

@liudonghua123
Copy link

  1. rsa private key
    To convert from PKCS#1 to PKCS#8:
    openssl pkcs8 -topk8 -inform pem -in private_pkcs1.pem -outform pem -nocrypt -out private_pkcs8.pem
    To convert from PKCS#8 to PKCS#1:
    openssl rsa -in private_pkcs8.pem -out private_pkcs1.pem
  2. rsa public key
    To convert from PKCS#8 to PKCS#1:
    openssl rsa -pubin -in public_pkcs8.pem -RSAPublicKey_out -out public_pkcs1.pem
    To convert from PKCS#1 to PKCS#8:
    openssl rsa -RSAPublicKey_in -in public_pkcs1.pem -pubout -out public_pkcs8.pem

See also https://stackoverflow.com/questions/2957742/how-to-convert-pkcs8-formatted-pem-private-key-to-the-traditional-format/65661751#65661751.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment