• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer

Mister PKI

SSL Certificates * SSL Tools * Certificate Decoder

  • Buy SSL Certificates
  • Blog
  • OpenSSL
  • Keytool
  • SSL Tools
  • Donate

PKCS8 (PKCS #8) format – openssl pkcs8

April 14, 2021 by Mister PKI 2 Comments

PKCS8 is the eighth of the Public-Key Cryptography Standards (PKCS) and is a syntax for storing private key material. The private keys may be encrypted with a symmetric key algorithm. If the usage of your key requires it to be in plain text, make sure it is stored in a secured location. If at all possible, keep the PKCS8 formatted private key encrypted.

The header and footer of the PKCS8 syntax is the following:

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----

…and if the PKCS #8 formatted private key is encrypted, the header and footer is the following:

-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----

This format is pem formatted.

PKCS8 vs PKCS1 (PKCS1 vs PKCS8)

PKCS #8 is a private key syntax for all algorithms and not just RSA. On the other hand, PKCS1 is primarily for using the RSA algorithm. PKCS #8 also uses ASN.1 which identifies the algorithm in its structure. Over time, while PKCS1 is still valid, PKCS #8 has become the standard syntax for storing private key information. Some applications may even load private key information from a private key entry in a PKCS12 formatted keystore which is also common. But, many languages expect a single file and not a keystore, which makes PKCS #8 a suitable syntax.

pkcs 8 vs pkcs12.

These are two different specs, and pkcs12 is meant to bundle a key pair with a certificate and not to store a single pkcs 8 private key. While a pkcs12 formatted keystore is password protected, so should the stand alone PKCS#8 private key if at all possible. This also goes for a PKCS#1 private key. Both private key formats should have a symmetric key encrypting them at rest.

openssl pkcs8

The openssl pkcs8 command can be used for processing asymmetric private keys in various encryption algorithms in PKCS #8 format. These openssl pkcs8 commands can process both encrypted and plain text private keys. Note that the file extension is not special and is routinely just .pem.

To generate a private key with openssl use the openssl -genpkey command.

To convert a private key to pkcs8, run the following command:

openssl pkcs8 -in key.pem -topk8 -out pk8key.pem

Where -in key.pem is the private key to be converted to PKCS #8, -topk8 means to convert, and -out pk8key.pem will be the PKCS #8 formatted key.

To convert to PKCS8 in a plain text state, just add the -nocrypt option to the command:

openssl pkcs8 -in key.pem -topk8 -nocrypt -out pk8key.pem

To convert PKCS8 to PKCS1, run the following command:

openssl pkcs8 -in pk8key.pem -traditional -nocrypt -out key.pem

Where -in pk8key.pem is the PKCS #8 formatted private key, -traditional means to convert to the traditional PKCS1 format, -nocrypt means the key is not encrypted, and -out key.pem is the file holding the PKCS1 traditional private key.

See RFC 3447 for details on the PKCS1 standard.

See RFC 5208 for details on the PKCS #8 standard.

Conclusion

Let us know in the comments if you would like to see more examples of commands processing PKCS #8 formatted private keys or conversions to other key formats. Head over to our OpenSSL page for more common commands.

Read more of our content.

openssl

Reader Interactions

Comments

  1. Giorgio Forti says

    August 2, 2021 at 9:29 am

    To start the integration with the SatisPay payment system I need to execute these two statements:
    openssl genrsa -out private.pem 4096
    openssl rsa -in private.pem -outform PEM -pubout -out public.pem
    but I can’t find anywhere WHERE to execute them.
    Someone can tell me how to start?

    Reply
    • Mister PKI says

      August 3, 2021 at 12:22 am

      I’m not familiar with the SatisPay payment system. But, it all you need is a public and private key then you should be able to execute the commands anywhere (secure) you have openssl, and then place the key pair where SatisPay expects them. If I’m totally off base, please provide more details.

      Reply

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Popular Posts

PKCS12

openssl s_client

Keytool

Keytool list

ECDSA vs RSA

OpenSSL

PKCS7

Certificate Decoder

Training Courses

Top online courses in IT & Software

Cyber Security Training

Udemy - The Complete Internet Security Privacy Course icon

Buy SSL Certificates

The SSL Store

Comodo Store

Sectigo Store

RapidSSL

Recent Posts

  • ldapsearch Active Directory
  • Upgrade Ubuntu 18.04 to 20.04
  • Ubuntu Time Settings
  • curl authentication – Certificate, Bearer token, and Basic Auth
  • Docker container keeps restarting

Footer

  • Twitter
  • YouTube

Pages

  • About Mister PKI
  • Blog
  • Compare and Buy Affordable PKI Certificates
  • Contact Us
  • Full Disclosure
  • Privacy Policy
  • SSL Tools – Certificate Decoder and Certificate Checker

Copyright © 2022