Key Formats PKCS#8 and PKCS#12 and Migration
Part:
1
2
3
4
This chapter describes:
- What is PKCS#8?
- What is PKCS#18?
- Reading and writing private keys in PKCS#8 format with "openssl pkcs8"?
- Reading and writing key and certificate combination in PKCS#12 format with "openssl pkcs12"?
- Converting between PKCS#12 files and JKS files "keytool -importkeystore"?
What is PKCS#8?
PKCS#8 is one of the PKCS (Public Key Cryptography Standards) devised and published by RSA Security.
PKCS#8 is designed as the Private-Key Information Syntax Standard.
It is used to store private keys.
PKCS#8 standard actually has two versions: non-encrypted and encrypted.
The non-encrypted PKCS#8 version defines the following syntax for a private key:
PrivateKeyInfo ::= SEQUENCE {
version Version,
privateKeyAlgorithm PrivateKeyAlgorithmIdentifier,
privateKey PrivateKey,
attributes [0] IMPLICIT Attributes OPTIONAL }
Version ::= INTEGER
PrivateKeyAlgorithmIdentifier ::= AlgorithmIdentifier
PrivateKey ::= OCTET STRING
Attributes ::= SET OF Attribute
The encrypted PKCS#8 version defines the following syntax:
EncryptedPrivateKeyInfo ::= SEQUENCE {
encryptionAlgorithm EncryptionAlgorithmIdentifier,
encryptedData EncryptedData }
EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
EncryptedData ::= OCTET STRING
Java SE "keytool" does not support exporting private keys in PKCS#8 format directly.
But you can use my "DumpKey.java" to do this as described in another chapter of this book.
"OpenSSL" does not support exporting private keys in PKCS#8 format directly.
It writes private keys in its own format referred as a private key traditional format.
But it offers the "openssl pkcs8" command to convert private keys files from traditional format
to pkcs#8 back and forth.
When writing a private key in PKCS#8 format in a file, it needs to stored in either DER encoding or PEM encoding.
DER and PEM encodings are describes in other chapters in this book.
Visit PKCS page at rsa.comto read more about PKCS#8.
What is PKCS#12?
PKCS#12 is one of the PKCS (Public Key Cryptography Standards) devised and published by RSA Security.
PKCS#12 is designed as the Personal Information Exchange Syntax Standard.
PKCS#12 can be used in the same way as JKS (Java KeyStore) to store private keys and certificates together in a single file.
In fact, the Java SE "keytool" supports two keystore types: "jks" and "pkcs12".
When you use "OpenSSL" to generate private keys and certificates, they are stored as individual separate files.
But "OpenSSL" does offer the "openssl pkcs12" command to merge private keys and certificates into a PKCS#12 file.
The "openssl pkcs12" command is very important if you want exchange private keys can certificates
between "keytool" and "OpenSSL". Read other sections to see my tutorial notes on this.
Visit PKCS page at rsa.comto read more about PKCS#8.
"OpenSSL" Private Key in Traditional Format
To understand better about PKCS#8 private key format, I started with "OpenSSL"
to generate a RSA private key (it's really a private and public key pair).
The "openssl genrsa" command can only store the key in the traditional format.
But it offers various encryptions as options.
In the following test, I tried to use:
- "openssl genrsa" to generate a RSA private key and store it in the traditional format with DER encoding, but no encryption.
- "openssl rsa" to convert the key file format to traditional with PEM encoding, but no encryption.
- "openssl rsa" to convert the key file format to traditional with DER encoding and encryption.
- "openssl rsa" to convert the key file format to traditional with PEM encoding and encryption.
(Continued on next part...)
Part:
1
2
3
4
|