pkcs8 man page on DigitalUNIX

Man page or keyword search:  
man Server   12896 pages
apropos Keyword Search (all sections)
Output format
DigitalUNIX logo
[printable version]

pkcs8(1ssl)							   pkcs8(1ssl)

NAME
       pkcs8 - PKCS#8 format private key conversion tool

SYNOPSIS
       openssl	pkcs8  [-topk8]	 [-inform  PEM	|  DER]	 [-outform  PEM | DER]
       [-infilename]  [-passinarg]  [-outfilename]   [-passoutarg]   [-noiter]
       [-nocrypt] [-nooct] [-embed] [-nsdb] [-v2alg] [-v1alg]

STANDARDS
       Test  vectors  from  this PKCS#5 v2.0 implementation were posted to the
       pkcs-tng mailing list using triple DES, DES and RC2 with high iteration
       counts.	 Several  people confirmed that they could decrypt the private
       keys produced.  Therefore it can be assumed that the PKCS#5 v2.0 imple‐
       mentation  is  reasonably accurate, at least as far as these algorithms
       are concerned.

       The format of PKCS#8 DSA and other private keys is not well documented.
       It is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA
       PKCS#8 private key format complies with this standard.

OPTIONS
       Normally a PKCS#8 private key is expected on input  and	a  traditional
       format  private key will be written.  With the -topk8 option the situa‐
       tion is reversed; it reads a traditional format private key and	writes
       a  PKCS#8  format  key.	Specifies the input format. If a PKCS#8 format
       key is expected on input then either a DER or PEM encoded version of  a
       PKCS#8  key  will  be  expected. Otherwise the DER or PEM format of the
       traditional format private key is used.	Specifies the  output  format.
       The options have the same meaning as the -inform option.	 Specifies the
       input filename to read a key from or standard input if this  option  is
       not  specified.	If  the	 key is encrypted there is a prompt for a pass
       phrase.	Input file password source. For	 more  information  about  the
       format  of arg, see the Pass Phrase Arguments section in openssl(1ssl).
       Specifies the output filename to write a key to or standard  output  by
       default.	 If  any  encryption  options are set, there is a prompt for a
       pass phrase.  The output filename should not be the same as  the	 input
       filename.   Output file password source. For more information about the
       format of arg see the Pass Phrase Arguments section  in	openssl(1ssl).
       PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKey‐
       Info structures using an appropriate password  based  encryption	 algo‐
       rithm.  With  this  option  an  unencrypted PrivateKeyInfo structure is
       expected or output. This option does  not  encrypt  private  keys,  and
       should only be used when absolutely necessary. Certain software such as
       some versions of Java code signing software  used  unencrypted  private
       keys.  Generates RSA private keys in a broken format used by some soft‐
       ware. Specifically the private  key  should  be	enclosed  in  a	 octet
       string,	but  some  software only includes the structure itself without
       the surrounding octet string.  Generates DSA keys in a  broken  format.
       The  DSA	 parameters  are embedded inside the PrivateKey structure.  In
       this form the octet string contains an ASN1 sequence consisting of  two
       structures:  a  sequence	 containing the parameters and an ASN1 integer
       containing the private key.  Generates DSA keys in a broken format com‐
       patible	with Netscape private key databases. The PrivateKey contains a
       sequence consisting  of	the  public  and  private  keys	 respectively.
       Enables the use of PKCS#5 v2.0 algorithms. Normally PKCS#8 private keys
       are encrypted with the password based encryption algorithm called  pbe‐
       WithMD5AndDES-CBC.  This	 uses  56-bit  DES  encryption, but it was the
       strongest encryption algorithm supported in PKCS#5 v1.5. Using  the -v2
       option  PKCS#5  v2.0  algorithms	 are used which can use any encryption
       algorithm such as 168-bit triple DES or 128-bit RC2. However, not  many
       implementations support PKCS#5 v2.0. If you are using private keys only
       with OpenSSL then this doesn't matter.

	      The alg argument is the encryption algorithm to use.  Valid val‐
	      ues  include  des, des3 and rc2. We recommend that des3 be used.
	      Specifies a PKCS#5 v1.5 or PKCS#12 algorithm to use. A  complete
	      list of possible algorithms is included below.

   PKCS#5 v1.5 and PKCS#12 algorithms.
       Various	algorithms  can	 be  used  with	 the  -v1 command line option,
       including PKCS#5 v1.5 and PKCS#12. These are described in  more	detail
       below.	These  algorithms  were	 included  in the original PKCS#5 v1.5
       specification. They only offer 56 bits of protection  since  they  both
       use  DES.   These  algorithms  are not mentioned in the original PKCS#5
       v1.5 specification, but they use the same key derivation algorithm  and
       are supported by some software. They are mentioned in PKCS#5 v2.0. They
       use either 64-bit RC2 or 56-bit DES.  These algorithms use the  PKCS#12
       password	 based	encryption algorithm and allow strong encryption algo‐
       rithms like triple DES or 128-bit RC2 to be used.

DESCRIPTION
       The pkcs8 command processes private keys in PKCS#8 format. It can  han‐
       dle  both  unencrypted  PKCS#8  PrivateKeyInfo format and EncryptedPri‐
       vateKeyInfo format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12
       algorithms.

NOTES
       The encrypted form of PEM encoded PKCS#8 files uses the following head‐
       ers and footers:
	-----BEGIN ENCRYPTED PRIVATE KEY-----
	-----END ENCRYPTED PRIVATE KEY-----

       The unencrypted form uses:
	-----BEGIN PRIVATE KEY-----
	-----END PRIVATE KEY-----

       Private keys encrypted using PKCS#5 v2.0 algorithms and high  iteration
       counts  are  more  secure  than	those  encrypted using the traditional
       SSLeay compatible formats. If additional	 security  is  important,  the
       keys should be converted.

       The  default  encryption is only 56 bits because this is the encryption
       that most current implementations of PKCS#8 will support.

       Some software may use PKCS#12 password based encryption algorithms with
       PKCS#8  format private keys. These are handled automatically, but there
       is no option to produce them.

       It is possible to write out  DER	 encoded  encrypted  private  keys  in
       PKCS#8  format  because	the encryption details are included at an ASN1
       level, whereas the traditional format includes them at a PEM level.

RESTRICTIONS
       There should be an option that prints out the encryption	 algorithm  in
       use and other details such as the iteration count.

       PKCS#8  using  triple DES and PKCS#5 v2.0 should be the default private
       key format for OpenSSL. For compatibility, several of the utilities use
       the old format.

EXAMPLES
       Convert	a  private from traditional to PKCS#5 v2.0 format using triple
       DES: openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem

       Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
       (DES): openssl pkcs8 -in key.pem -topk8 -out enckey.pem

       Convert	a  private  key to PKCS#8 using a PKCS#12 compatible algorithm
       (3DES): openssl pkcs8 -in  key.pem  -topk8  -out	 enckey.pem  -v1  PBE-
       SHA1-3DES

       Read a DER unencrypted PKCS#8 format private key: openssl pkcs8 -inform
       DER -nocrypt -in key.der -out key.pem

       Convert a private key from any PKCS#8  format  to  traditional  format:
       openssl pkcs8 -in pk8.pem -out key.pem

SEE ALSO
       Commands: dsa(1ssl), rsa(1ssl), genrsa(1ssl), gendsa(1ssl)

								   pkcs8(1ssl)
[top]

List of man pages available for DigitalUNIX

Copyright (c) for man pages and the logo by the respective OS vendor.

For those who want to learn more, the polarhome community provides shell access and support.

[legal] [privacy] [GNU] [policy] [cookies] [netiquette] [sponsors] [FAQ]
Tweet
Polarhome, production since 1999.
Member of Polarhome portal.
Based on Fawad Halim's script.
....................................................................
Vote for polarhome
Free Shell Accounts :: the biggest list on the net