5 pkcs8 - PKCS#8 format private key conversion tool
33 The B<pkcs8> command processes private keys in PKCS#8 format. It can handle
34 both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
35 format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
37 =head1 COMMAND OPTIONS
43 Print out a usage message.
47 Normally a PKCS#8 private key is expected on input and a private key will be
48 written to the output file. With the B<-topk8> option the situation is
49 reversed: it reads a private key and writes a PKCS#8 format key.
51 =item B<-inform DER|PEM>
53 This specifies the input format: see L<KEY FORMATS> for more details.
55 =item B<-outform DER|PEM>
57 This specifies the output format: see L<KEY FORMATS> for more details.
61 When this option is present and B<-topk8> is not a traditional format private
66 This specifies the input filename to read a key from or standard input if this
67 option is not specified. If the key is encrypted a pass phrase will be
72 the input file password source. For more information about the format of B<arg>
73 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
75 =item B<-out filename>
77 This specifies the output filename to write a key to or standard output by
78 default. If any encryption options are set then a pass phrase will be
79 prompted for. The output filename should B<not> be the same as the input
84 the output file password source. For more information about the format of B<arg>
85 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
89 When creating new PKCS#8 containers, use a given number of iterations on
90 the password in deriving the encryption key for the PKCS#8 output.
91 High values increase the time required to brute-force a PKCS#8 container.
95 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
96 structures using an appropriate password based encryption algorithm. With
97 this option an unencrypted PrivateKeyInfo structure is expected or output.
98 This option does not encrypt private keys at all and should only be used
99 when absolutely necessary. Certain software such as some versions of Java
100 code signing software used unencrypted private keys.
104 This option sets the PKCS#5 v2.0 algorithm.
106 The B<alg> argument is the encryption algorithm to use, valid values include
107 B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
112 This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
113 value would be B<hmacWithSHA256>. If this option isn't set then the default
114 for the cipher is used or B<hmacWithSHA256> if there is no default.
116 Some implementations may not support custom PRF algorithms and may require
117 the B<hmacWithSHA1> option to work.
121 This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
122 older implementations may not support PKCS#5 v2.0 and may require this option.
123 If not specified PKCS#5 v2.0 form is used.
127 specifying an engine (by its unique B<id> string) will cause B<pkcs8>
128 to attempt to obtain a functional reference to the specified engine,
129 thus initialising it if needed. The engine will then be set as the default
130 for all available algorithms.
134 uses the B<scrypt> algorithm for private key encryption using default
135 parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit
136 key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
137 B<-scrypt_p> and B<-v2> options.
139 B<-scrypt_N N> B<-scrypt_r r> B<-scrypt_p p>
141 sets the scrypt B<N>, B<r> or B<p> parameters.
147 Various different formats are used by the pkcs8 utility. These are detailed
150 If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
151 not used) then the input file must be in PKCS#8 format. An encrypted
152 key is expected unless B<-nocrypt> is included.
154 If B<-topk8> is not used and B<PEM> mode is set the output file will be an
155 unencrypted private key in PKCS#8 format. If the B<-traditional> option is
156 used then a traditional format private key is written instead.
158 If B<-topk8> is not used and B<DER> mode is set the output file will be an
159 unencrypted private key in traditional DER format.
161 If B<-topk8> is used then any supported private key can be used for the input
162 file in a format specified by B<-inform>. The output file will be encrypted
163 PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
168 By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
169 AES with HMAC and SHA256 is used.
171 Some older implementations do not support PKCS#5 v2.0 format and require
172 the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
173 encryption algorithms such as 56 bit DES.
175 The encrypted form of a PEM encode PKCS#8 files uses the following
178 -----BEGIN ENCRYPTED PRIVATE KEY-----
179 -----END ENCRYPTED PRIVATE KEY-----
181 The unencrypted form uses:
183 -----BEGIN PRIVATE KEY-----
184 -----END PRIVATE KEY-----
186 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
187 counts are more secure that those encrypted using the traditional
188 SSLeay compatible formats. So if additional security is considered
189 important the keys should be converted.
191 It is possible to write out DER encoded encrypted private keys in
192 PKCS#8 format because the encryption details are included at an ASN1
193 level whereas the traditional format includes them at a PEM level.
195 =head1 PKCS#5 v1.5 and PKCS#12 algorithms.
197 Various algorithms can be used with the B<-v1> command line option,
198 including PKCS#5 v1.5 and PKCS#12. These are described in more detail
203 =item B<PBE-MD2-DES PBE-MD5-DES>
205 These algorithms were included in the original PKCS#5 v1.5 specification.
206 They only offer 56 bits of protection since they both use DES.
208 =item B<PBE-SHA1-RC2-64 PBE-MD2-RC2-64 PBE-MD5-RC2-64 PBE-SHA1-DES>
210 These algorithms are not mentioned in the original PKCS#5 v1.5 specification
211 but they use the same key derivation algorithm and are supported by some
212 software. They are mentioned in PKCS#5 v2.0. They use either 64 bit RC2 or
215 =item B<PBE-SHA1-RC4-128 PBE-SHA1-RC4-40 PBE-SHA1-3DES PBE-SHA1-2DES PBE-SHA1-RC2-128 PBE-SHA1-RC2-40>
217 These algorithms use the PKCS#12 password based encryption algorithm and
218 allow strong encryption algorithms like triple DES or 128 bit RC2 to be used.
224 Convert a private key to PKCS#8 format using default parameters (AES with
225 256 bit key and B<hmacWithSHA256>):
227 openssl pkcs8 -in key.pem -topk8 -out enckey.pem
229 Convert a private key to PKCS#8 unencrypted format:
231 openssl pkcs8 -in key.pem -topk8 -nocrypt -out enckey.pem
233 Convert a private key to PKCS#5 v2.0 format using triple DES:
235 openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
237 Convert a private key to PKCS#5 v2.0 format using AES with 256 bits in CBC
238 mode and B<hmacWithSHA512> PRF:
240 openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out enckey.pem
242 Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
245 openssl pkcs8 -in key.pem -topk8 -v1 PBE-MD5-DES -out enckey.pem
247 Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
250 openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
252 Read a DER unencrypted PKCS#8 format private key:
254 openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
256 Convert a private key from any PKCS#8 encrypted format to traditional format:
258 openssl pkcs8 -in pk8.pem -traditional -out key.pem
260 Convert a private key to PKCS#8 format, encrypting with AES-256 and with
261 one million iterations of the password:
263 openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
267 Test vectors from this PKCS#5 v2.0 implementation were posted to the
268 pkcs-tng mailing list using triple DES, DES and RC2 with high iteration
269 counts, several people confirmed that they could decrypt the private
270 keys produced and Therefore it can be assumed that the PKCS#5 v2.0
271 implementation is reasonably accurate at least as far as these
272 algorithms are concerned.
274 The format of PKCS#8 DSA (and other) private keys is not well documented:
275 it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA
276 PKCS#8 private key format complies with this standard.
280 There should be an option that prints out the encryption algorithm
281 in use and other details such as the iteration count.
285 L<dsa(1)>, L<rsa(1)>, L<genrsa(1)>,
290 The B<-iter> option was added to OpenSSL 1.1.0.
294 Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
296 Licensed under the OpenSSL license (the "License"). You may not use
297 this file except in compliance with the License. You can obtain a copy
298 in the file LICENSE in the source distribution or at
299 L<https://www.openssl.org/source/license.html>.