PKCS8 is the eighth of the Public-Key Cryptography Standards (PKCS) and is a syntax for storing private key material. The private keys may be encrypted with a symmetric key algorithm. If the usage of your key requires it to be in plain text, make sure it is stored in a secured location. If at all possible, keep the PKCS8 formatted private key encrypted.

The header and footer of the PKCS8 syntax is the following:

```
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
```

…and if the PKCS #8 formatted private key is encrypted, the header and footer is the following:

```
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
```

This format is pem formatted.

## PKCS8 vs PKCS1 (PKCS1 vs PKCS8)

PKCS #8 is a private key syntax for all algorithms and not just RSA. On the other hand, PKCS1 is primarily for using the RSA algorithm. PKCS #8 also uses ASN.1 which identifies the algorithm in its structure. Over time, while PKCS1 is still valid, PKCS #8 has become the standard syntax for storing private key information. Some applications may even load private key information from a private key entry in a PKCS12 formatted keystore which is also common. But, many languages expect a single file and not a keystore, which makes PKCS #8 a suitable syntax.

## pkcs 8 vs pkcs12.

These are two different specs, and pkcs12 is meant to bundle a key pair with a certificate and not to store a single pkcs 8 private key. While a pkcs12 formatted keystore is password protected, so should the stand alone PKCS#8 private key if at all possible. This also goes for a PKCS#1 private key. Both private key formats should have a symmetric key encrypting them at rest.

## openssl pkcs8

The **openssl pkcs8** command can be used for processing asymmetric private keys in various encryption algorithms in PKCS #8 format. These openssl pkcs8 commands can process both encrypted and plain text private keys. Note that the file extension is not special and is routinely just .pem.

To generate a private key with openssl use the openssl -genpkey command.

**To convert a private key to pkcs8, run the following command:**

`openssl pkcs8 -in key.pem -topk8 -out pk8key.pem`

Where `-in key.pem`

is the private key to be converted to PKCS #8, `-topk8`

means to convert, and `-out pk8key.pem`

will be the PKCS #8 formatted key.

**To convert to PKCS8 in a plain text state, just add the -nocrypt option to the command:**

`openssl pkcs8 -in key.pem -topk8 -nocrypt -out pk8key.pem`

**To convert PKCS8 to PKCS1, run the following command:**

`openssl pkcs8 -in pk8key.pem -traditional -nocrypt -out key.pem`

Where `-in pk8key.pem`

is the PKCS #8 formatted private key, `-traditional`

means to convert to the traditional PKCS1 format, `-nocrypt`

means the key is not encrypted, and `-out key.pem`

is the file holding the PKCS1 traditional private key.

See RFC 3447 for details on the PKCS1 standard.

See RFC 5208 for details on the PKCS #8 standard.

## Conclusion

Let us know in the comments if you would like to see more examples of commands processing PKCS #8 formatted private keys or conversions to other key formats. Head over to our OpenSSL page for more common commands.

Giorgio Forti says

To start the integration with the SatisPay payment system I need to execute these two statements:

openssl genrsa -out private.pem 4096

openssl rsa -in private.pem -outform PEM -pubout -out public.pem

but I can’t find anywhere WHERE to execute them.

Someone can tell me how to start?

Mister PKI says

I’m not familiar with the SatisPay payment system. But, it all you need is a public and private key then you should be able to execute the commands anywhere (secure) you have openssl, and then place the key pair where SatisPay expects them. If I’m totally off base, please provide more details.