"openssl pkcs8" Converting Keys to PKCS#8 Format

Cryptography Tutorials - Herong's Tutorial Examples

∟Migrating Keys from "OpenSSL" Key Files to "keystore"

∟"openssl pkcs8" Converting Keys to PKCS#8 Format

This section provides a tutorial example on how to convert a private key file from the traditional format into PKCS#8 format using the 'openssl pkcs8' command. Keys can still be encoded with DER or PEM with or without DES encryption in PKCS#8 format.

Once I have my private key stored in the traditional format, I can use the "openssl pkcs8" command to convert it into PKCS#8 format. My plan was to try to do the following:

"openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with PEM encoding, but no encryption.
"openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with DER encoding, but no encryption.
"openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with PEM encoding and encryption.
"openssl pkcs8 -topk8" to convert the key file format to PKCS#8 with DER encoding and encryption.

My command session was recorded as blow:

C:\herong>rem PKCS#8 format, PEM encoding, no encryption
herong> openssl pkcs8 -topk8 -in openssl_key.pem -inform pem \
   -out openssl_key_pk8.pem -outform pem -nocrypt

C:\herong>rem PKCS#8 format, DER encoding, no encryption
herong> openssl pkcs8 -topk8 -in openssl_key.pem -inform pem \
   -out openssl_key_pk8.der -outform der -nocrypt

C:\herong>rem PKCS#8 format, PEM encoding, encrypted
herong> openssl pkcs8 -topk8 -in openssl_key.pem -inform pem \
   -out openssl_key_pk8_enc.pem -outform pem

Enter Encryption Password: keypass
Verifying - Enter Encryption Password: keypass
Loading 'screen' into random state - done

C:\herong>rem PKCS#8 format, DER encoding, encrypted
herong> openssl pkcs8 -topk8 -in openssl_key.pem -inform pem \
   -out openssl_key_pk8_enc.der -outform der

Enter Encryption Password: keypass
Verifying - Enter Encryption Password: keypass
Loading 'screen' into random state - done

All commands executed as expected this time. I got my RSA private key stored in OpenSSL traditional format and PKCS#8 format in 7 flavors:

   608 openssl_key.der
   887 openssl_key.pem
   958 openssl_key_des.pem
   634 openssl_key_pk8.der
   916 openssl_key_pk8.pem
   677 openssl_key_pk8_enc.der
   993 openssl_key_pk8_enc.pem

Now the question is how to verify them? Looks like there no easy tool to do this. I will leave this task later by writing a Java program to verify them.