Key Formats in OpenSSL

OpenSSL uses several formats to store keys and digital certificates. This video talks about those formats, including what you should consider in order to use a specific format. The formats I'll be discussing in this video include DER, PEM, PKCS1, SEC1, P7B, PKCS8, and PKCS12.

- Traditional ways of generating keys.

# Generating a PEM formatted RSA key.

openssl genrsa -out rsa.pem 2048

# Generating a PEM formatted ECDSA key.

openssl ecparam -genkey -name prime256v1 -noout -out ec.pem

# Generating a private key in traditional format. (-traditional is required for OpenSSL 3.0)

openssl genrsa -traditional -out rsa.pri 2048

- Switching from PEM format to DER format and vice versa

# Converting PEM to DER (RSA).

openssl rsa -in rsa.pem -out rsa.der -outform der

# Examining a DER formatted RSA key.

openssl rsa -in rsa.der -inform der -noout -text

# Converting DER formatted RSA key to PEM.

openssl rsa -in rsa.der -inform der -out rsa.pem -outform pem

# Encrypting RSA Private Keys.

openssl rsa -aes-256-cbc -in rsa.pri -out rsa.enc

# Using encryption for private keys in traditional format.

openssl rsa -aes-256-cbc -in rsa.pri -out rsa.enc -traditional

# Removing encryption from an RSA private key.

openssl rsa -in rsa.enc -out rsa.pri

# Converting PEM to DER (ECDSA).

openssl ec -in ec.pem -out ec.der -outform der

# Examining a DER formatted ECDSA key.

openssl ec -in ec.der -noout -text

# Converting DER formatted ECDSA key to PEM.

openssl ec -in ec.der -out ec.pem -outform pem

# Encrypting ECDSA private keys.

openssl ec -in ec.pem -aes-256-cbc -out ec.enc

# Removing encryption from an ECDSA private key.

openssl ec -in ec.enc -out ec.dec

- Switching from PKCS #1 (Traditional Format) to PKCS #8 format

# Converting PKCS#1 to PKCS#8 format RSA key.

openssl pkcs8 -in rsa.pri -topk8 -out rsa.pk8

# Converting PKCS#1 to PKCS#8 format RSA key with no encryption.

openssl pkcs8 -in rsa.pri -topk8 -out rsa.pk8 -nocrypt

# Converting PKCS#1 to PKCS#8 formatted RSA key with no encryption in DER format.

openssl pkcs8 -in rsa.pri -topk8 -out rsa.pk8 -nocrypt -outform DER

# Examining a PKCS#8 DER formatted RSA key.

openssl rsa -in rsa.pk8 -noout -text

# Converting PKCS#1 to PKCS#8 format ECDSA key.

openssl pkcs8 -in ec.pem -topk8 -out ec.pk8

# Converting PKCS#1 to PKCS#8 format ECDSA key with no encryption.

openssl pkcs8 -in ec.pem -topk8 -nocrypt -out ec.pk8

- Generating a PKCS #7 Bundle (P7B).

# Generating a P7b file of a signed certificate with certificate chain.

openssl crl2pkcs7 -nocrl -certfile dev.cer -certfile myIssuing.cer -certfile root.cer -out dev.p7b

# Examining a P7B file.

openssl pkcs7 -in dev.p7b -print_certs

# Examining a P7B file without outputting the certificates.

openssl pkcs7 -in dev.p7b -print_certs -noout

- Generating a PKCS #12 (PFX/P12) file.

# Generating a private key and a self-signed certificate

openssl genpkey -algorithm rsa -out rsa.pri -quiet
openssl req -x509 -new -key rsa.pri -subj '/CN=Test/' -days 365 -out test.cer

# Generating a PKCS#12 (PFX/P12) file.

openssl pkcs12 -export -inkey rsa.pri -in test.cer -out test.pfx

# Generate a PFX/P12 file for a signed certificate including its certificate chain.

cat root.cer myIssuing.cer > cacert.cer
openssl pkcs12 -export -inkey dev.key -in dev.cer -certfile cacert.cer -out dev.pfx

# Examining a PKCS#12 file without displaying any key.

openssl pkcs12 -in dev.pfx -info -nokeys

# Examining a PKCS#12 file without displaying any certificate

openssl pkcs12 -in dev.pfx -info -nocerts

# Examining a PKCS#12 file without displaying keys and certs (-nokeys + -nocerts)

openssl pkcs12 -in dev.pfx -info -nokeys -nocerts
openssl pkcs12 -in dev.pfx -info -noout

# Examining a PKCS#12 file to display only signed/client certificate

openssl pkcs12 -in dev.pfx -info -nokeys -clcerts

# Examining a PKCS#12 file to display only CA certificates

openssl pkcs12 -in dev.pfx -info -nokeys -cacerts

# Extract private key out of PKCS#12 file without encryption

openssl pkcs12 -in dev.pfx -nocerts -noenc | openssl rsa -out private.key

# Extract private key out of PKCS#12 file with encryption

openssl pkcs12 -in dev.pfx -nocerts | openssl rsa -aes-256-cbc -out private.key

# Extract private key out of PKCS#12 file with encryption with password as input from a file.

echo password@123 > passfile
openssl pkcs12 -in dev.pfx -passin file:passfile -nocerts -nodes | openssl rsa -aes-256-cbc -passout file:passfile -out private.key

# Examining ASN.1 Structure of a key.

openssl asn1parse -in rsa.pri