RSA PRIVATE KEY vs PRIVATE KEY
For some purposes, the private key of a .p12 file needs to be extracted and converted to a .pem file. An example is when you want to combine cert.pem and key.p12 together for authentication to the Apple Push Notification Service with more ease.
However, it appears that the following command gives different results on different versions of OpenSSL:
$ openssl pkcs12 -in Key.p12 -out PrivateKey.pem -nodes -clcertsWhen I executed this command on my Mac (OpenSSL 1.0.2g 1 Mar 2016), I got:
$ cat PrivateKey.pem
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAxI5cb4Nkv8MalY6sysz3rPgIirl9CLnhjdbc4gjX3bUibWz4
...
-----END RSA PRIVATE KEY-----But when I execute the same command on a Debian server with an older version of OpenSSL (OpenSSL 1.0.1k 8 Jan 2015):
$ cat PrivateKey.pem
-----BEGIN PRIVATE KEY-----
MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDEjlxvg2S/wxqV
...
-----END PRIVATE KEY-----As you notice, these two keys are not the same as all!
The key that begins with the tag -----BEGIN RSA PRIVATE KEY----- is conform to the PKCS#1 standard. This standard is exclusively for RSA keys. However RSA is not the only public key scheme in SSL/TLS and X509. Therefore the standard PKCS#8 was developed, which is the standard syntax for private key information. In this format, the correct scheme is included in the key, such that other programs know how to interpret this general private key. .pem files conforming with the PKCS#8 standard starts with the tag -----BEGIN PRIVATE KEY-----.
A private key (PKCS#8) can also be protected with a passphrase (by dropping the -nodes flag). Those .pem files will have the following format:
-----BEGIN ENCRYPTED PRIVATE KEY-----
...
-----END ENCRYPTED PRIVATE KEY-----The new behavior of OpenSSL is not always what you want, so to get the PKCS#8 key from the PKCS#1 version:
$ openssl pkcs8 -topk8 -in PrivateKey12.pem -out PrivateKey8.pem -nocrypt