RSA PRIVATE KEY vs PRIVATE KEY
For some purposes, the private key of a .p12
file needs to be extracted and converted to a .pem
file. An example is when you want to combine cert.pem
and key.p12
together for authentication to the Apple Push Notification Service with more ease.
However, it appears that the following command gives different results on different versions of OpenSSL:
When I executed this command on my Mac (OpenSSL 1.0.2g 1 Mar 2016), I got:
But when I execute the same command on a Debian server with an older version of OpenSSL (OpenSSL 1.0.1k 8 Jan 2015):
As you notice, these two keys are not the same as all!
The key that begins with the tag -----BEGIN RSA PRIVATE KEY-----
is conform to the PKCS#1
standard. This standard is exclusively for RSA keys. However RSA is not the only public key scheme in SSL/TLS and X509. Therefore the standard PKCS#8
was developed, which is the standard syntax for private key information. In this format, the correct scheme is included in the key, such that other programs know how to interpret this general private key. .pem
files conforming with the PKCS#8
standard starts with the tag -----BEGIN PRIVATE KEY-----
.
A private key (PKCS#8
) can also be protected with a passphrase (by dropping the -nodes
flag). Those .pem
files will have the following format:
The new behavior of OpenSSL is not always what you want, so to get the PKCS#8
key from the PKCS#1
version: