|
Key Formats PKCS#8 and PKCS#12 and Migration
Part:
1
2
3
4
(Continued from previous part...)
My command session was recorded as blow:
>rem traditional format, PEM encoding, no encryption
>openssl genrsa -out openssl_key.pem 1024
Loading 'screen' into random state - done
Generating RSA private key, 1024 bit long modulus
.......++++++
........................................++++++
e is 65537 (0x10001)
>rem traditional format, DER encoding, no encryption
>openssl rsa -in openssl_key.pem -inform pem
-out openssl_key.der -outform der
writing RSA key
>rem traditional format, PEM encoding, DES encryption
>openssl rsa -in openssl_key.pem -inform pem
-out openssl_key_des.pem -outform pem -des
writing RSA key
Enter PEM pass phrase: keypass
Verifying - Enter PEM pass phrase: keypass
>rem traditional format, DER encoding, DES encryption
>openssl rsa -in openssl_key.pem -inform pem
-out openssl_key_des.der -outform der -des
writing RSA key
All commands were executed as expected except the last one. The traditional format with DER encoding seems
not able to apply the DES encryption.
Anyway, I got my RSA private key stored in OpenSSL traditional format with 3 flavors:
04/01/2007 09:55 AM 608 openssl_key.der
04/01/2007 09:52 AM 887 openssl_key.pem
04/01/2007 10:01 AM 958 openssl_key_des.pem
Now I am ready to my private key to PKCS#8 format as described in the next section.
"OpenSSL" Private Key in PKCS#8 Format
Once I have my private key stored in the traditional format,
I can use the "openssl pkcs8" command to convert it into PKCS#8 format.
My plan was to try to do the following:
- "openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with PEM encoding, but no encryption.
- "openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with DER encoding, but no encryption.
- "openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with PEM encoding and encryption.
- "openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with DER encoding and encryption.
My command session was recorded as blow:
>rem PKCS#8 format, PEM encoding, no encryption
>openssl pkcs8 -topk8 -in openssl_key.pem -inform pem
-out openssl_key_pk8.pem -outform pem -nocrypt
>rem PKCS#8 format, DER encoding, no encryption
>openssl pkcs8 -topk8 -in openssl_key.pem -inform pem
-out openssl_key_pk8.der -outform der -nocrypt
>rem PKCS#8 format, PEM encoding, encrypted
>openssl pkcs8 -topk8 -in openssl_key.pem -inform pem
-out openssl_key_pk8_enc.pem -outform pem
Enter Encryption Password: keypass
Verifying - Enter Encryption Password: keypass
Loading 'screen' into random state - done
>rem PKCS#8 format, DER encoding, encrypted
>openssl pkcs8 -topk8 -in openssl_key.pem -inform pem
-out openssl_key_pk8_enc.der -outform der
Enter Encryption Password: keypass
Verifying - Enter Encryption Password: keypass
Loading 'screen' into random state - done
All commands executed as expected this time. I got my RSA private key stored in
OpenSSL traditional format and PKCS#8 format in 7 flavors:
04/01/2007 09:55 AM 608 openssl_key.der
04/01/2007 09:52 AM 887 openssl_key.pem
04/01/2007 10:01 AM 958 openssl_key_des.pem
04/01/2007 10:29 AM 634 openssl_key_pk8.der
04/01/2007 10:28 AM 916 openssl_key_pk8.pem
04/01/2007 11:53 AM 677 openssl_key_pk8_enc.der
04/01/2007 10:29 AM 993 openssl_key_pk8_enc.pem
Now the question is how to verify them? Looks like there no easy tool to do this.
I will leave this task later by writing a Java program to verify them.
"OpenSSL" Key and Certificate in PKCS#12 Format
PKCS#12 (Personal Information Exchange Syntax Standard) defines how a private key
and its related certificates should be stored in single file. In this section,
I want to try the following:
- Use "openssl reg -new -x509" command to create a self-signed certificate with my private key.
- Use "openssl pkcs12 -export" command to merge my private key and my certificate into a PKCS#12 file.
- Use "openssl pkcs12" command to parse a PKCS#12 file into an encrypted PEM file.
(Continued on next part...)
Part:
1
2
3
4
| 