Cryptography Tutorials - Herong's Tutorial Examples - Version 5.35, by Dr. Herong Yang
"openssl enc" Converting Keys from Binary to PEM
This section provides a tutorial example on how to convert a private and public key pair stored in binary PKCS#8 format into PEM (Privacy Enhanced Mail) format with the 'openssl enc' command.
Using my DumpKey.java program, I managed to get a private and public key pair dumped out of the "keytool" keystore file into herong_bin.key. My DumpKey.java program told me that this is a DSA key pair stored in binary PKCS#8 format.
I tried to view herong_bin.key as is with the "openssl dsa" command:
>openssl dsa -in herong_bin.key -text read DSA key unable to load Key 2228:error:0906D06C:PEM routines:PEM_read_bio:no start line: pem_lib.c:632:Expecting: ANY PRIVATE KEY
Looks like "openssl dsa" command only understand PEM (Privacy Enhanced Mail) format which requires the key to be encoded in Base64 format. This can be done in two steps. First, use "openssl enc" command as shown below:
>openssl enc -in herong_bin.key -out herong.key -a >type herong.key MIIBSwIBADCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdS ... g9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoEFgIUSVbo98XAZDN9RZoZ+li3kIKVEbk=
The last step to make my herong.key file to meet PEM format standard is to add a header line and a footer line with a text editor:
-----BEGIN PRIVATE KEY----- MIIBSwIBADCCASwGByqGSM44BAEwggEfAoGBAP1/U4EddRIpUt9KnC7s5Of2EbdS ... g9/hWuWfBpKLZl6Ae1UlZAFMO/7PSSoEFgIUSVbo98XAZDN9RZoZ+li3kIKVEbk= -----END PRIVATE KEY-----
Now I got my private and public key pair converted from the binary format to the PEM format in the file called herong.key. Remember my key pair was generated by "keytool".
Actually, "openssl dsa" does understand keys in binary format by specifying the "-inform DER" option, as pointed by Dan Lukes in the Web version. So we can convert a key pair from the binary format to the PEM format with a single "openssl dsa" command:
>openssl dsa -in herong_bin.key -inform DER -out herong.key -outform PEM
The next thing I want to do is view this key pair with the "openssl dsa" command as described in the next section.
Last update: 2018.
Table of Contents