5 openssl-pkcs8 - PKCS#8 format private key conversion tool
12 [B<-inform> B<DER>|B<PEM>]
13 [B<-outform> B<DER>|B<PEM>]
21 [B<-writerand> I<file>]
33 =for comment ifdef engine scrypt scrypt_N scrypt_r scrypt_p
37 The B<pkcs8> command processes private keys in PKCS#8 format. It can handle
38 both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo
39 format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms.
47 Print out a usage message.
51 Normally a PKCS#8 private key is expected on input and a private key will be
52 written to the output file. With the B<-topk8> option the situation is
53 reversed: it reads a private key and writes a PKCS#8 format key.
55 =item B<-inform> B<DER>|B<PEM>
57 This specifies the input format: see L<KEY FORMATS> for more details. The default
60 =item B<-outform> B<DER>|B<PEM>
62 This specifies the output format: see L<KEY FORMATS> for more details. The default
67 When this option is present and B<-topk8> is not a traditional format private
70 =item B<-in> I<filename>
72 This specifies the input filename to read a key from or standard input if this
73 option is not specified. If the key is encrypted a pass phrase will be
76 =item B<-passin> I<arg>
78 The input file password source. For more information about the format of B<arg>
79 see L<openssl(1)/Pass phrase options>.
81 =item B<-out> I<filename>
83 This specifies the output filename to write a key to or standard output by
84 default. If any encryption options are set then a pass phrase will be
85 prompted for. The output filename should B<not> be the same as the input
88 =item B<-passout> I<arg>
90 The output file password source. For more information about the format of B<arg>
91 see the B<PASS PHRASE ARGUMENTS> section in L<openssl(1)>.
93 =item B<-iter> I<count>
95 When creating new PKCS#8 containers, use a given number of iterations on
96 the password in deriving the encryption key for the PKCS#8 output.
97 High values increase the time required to brute-force a PKCS#8 container.
101 PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo
102 structures using an appropriate password based encryption algorithm. With
103 this option an unencrypted PrivateKeyInfo structure is expected or output.
104 This option does not encrypt private keys at all and should only be used
105 when absolutely necessary. Certain software such as some versions of Java
106 code signing software used unencrypted private keys.
108 =item B<-rand> I<file...>
110 A file or files containing random data used to seed the random number
112 Multiple files can be specified separated by an OS-dependent character.
113 The separator is B<;> for MS-Windows, B<,> for OpenVMS, and B<:> for
116 =item B<-writerand> I<file>
118 Writes random data to the specified I<file> upon exit.
119 This can be used with a subsequent B<-rand> flag.
123 This option sets the PKCS#5 v2.0 algorithm.
125 The B<alg> argument is the encryption algorithm to use, valid values include
126 B<aes128>, B<aes256> and B<des3>. If this option isn't specified then B<aes256>
129 =item B<-v2prf> I<alg>
131 This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value
132 value would be B<hmacWithSHA256>. If this option isn't set then the default
133 for the cipher is used or B<hmacWithSHA256> if there is no default.
135 Some implementations may not support custom PRF algorithms and may require
136 the B<hmacWithSHA1> option to work.
140 This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some
141 older implementations may not support PKCS#5 v2.0 and may require this option.
142 If not specified PKCS#5 v2.0 form is used.
144 =item B<-engine> I<id>
146 Specifying an engine (by its unique B<id> string) will cause B<pkcs8>
147 to attempt to obtain a functional reference to the specified engine,
148 thus initialising it if needed. The engine will then be set as the default
149 for all available algorithms.
153 Uses the B<scrypt> algorithm for private key encryption using default
154 parameters: currently N=16384, r=8 and p=1 and AES in CBC mode with a 256 bit
155 key. These parameters can be modified using the B<-scrypt_N>, B<-scrypt_r>,
156 B<-scrypt_p> and B<-v2> options.
158 =item B<-scrypt_N> I<N>, B<-scrypt_r> I<r>, B<-scrypt_p> I<p>
160 Sets the scrypt B<N>, B<r> or B<p> parameters.
166 Various different formats are used by the pkcs8 utility. These are detailed
169 If a key is being converted from PKCS#8 form (i.e. the B<-topk8> option is
170 not used) then the input file must be in PKCS#8 format. An encrypted
171 key is expected unless B<-nocrypt> is included.
173 If B<-topk8> is not used and B<PEM> mode is set the output file will be an
174 unencrypted private key in PKCS#8 format. If the B<-traditional> option is
175 used then a traditional format private key is written instead.
177 If B<-topk8> is not used and B<DER> mode is set the output file will be an
178 unencrypted private key in traditional DER format.
180 If B<-topk8> is used then any supported private key can be used for the input
181 file in a format specified by B<-inform>. The output file will be encrypted
182 PKCS#8 format using the specified encryption parameters unless B<-nocrypt>
187 By default, when converting a key to PKCS#8 format, PKCS#5 v2.0 using 256 bit
188 AES with HMAC and SHA256 is used.
190 Some older implementations do not support PKCS#5 v2.0 format and require
191 the older PKCS#5 v1.5 form instead, possibly also requiring insecure weak
192 encryption algorithms such as 56 bit DES.
194 The encrypted form of a PEM encode PKCS#8 files uses the following
197 -----BEGIN ENCRYPTED PRIVATE KEY-----
198 -----END ENCRYPTED PRIVATE KEY-----
200 The unencrypted form uses:
202 -----BEGIN PRIVATE KEY-----
203 -----END PRIVATE KEY-----
205 Private keys encrypted using PKCS#5 v2.0 algorithms and high iteration
206 counts are more secure that those encrypted using the traditional
207 SSLeay compatible formats. So if additional security is considered
208 important the keys should be converted.
210 It is possible to write out DER encoded encrypted private keys in
211 PKCS#8 format because the encryption details are included at an ASN1
212 level whereas the traditional format includes them at a PEM level.
214 =head1 PKCS#5 V1.5 AND PKCS#12 ALGORITHMS
216 Various algorithms can be used with the B<-v1> command line option,
217 including PKCS#5 v1.5 and PKCS#12. These are described in more detail
222 =item B<PBE-MD2-DES PBE-MD5-DES>
224 These algorithms were included in the original PKCS#5 v1.5 specification.
225 They only offer 56 bits of protection since they both use DES.
227 =item B<PBE-SHA1-RC2-64>, B<PBE-MD2-RC2-64>, B<PBE-MD5-RC2-64>, B<PBE-SHA1-DES>
229 These algorithms are not mentioned in the original PKCS#5 v1.5 specification
230 but they use the same key derivation algorithm and are supported by some
231 software. They are mentioned in PKCS#5 v2.0. They use either 64 bit RC2 or
234 =item B<PBE-SHA1-RC4-128>, B<PBE-SHA1-RC4-40>, B<PBE-SHA1-3DES>, B<PBE-SHA1-2DES>, B<PBE-SHA1-RC2-128>, B<PBE-SHA1-RC2-40>
236 These algorithms use the PKCS#12 password based encryption algorithm and
237 allow strong encryption algorithms like triple DES or 128 bit RC2 to be used.
243 Convert a private key to PKCS#8 format using default parameters (AES with
244 256 bit key and B<hmacWithSHA256>):
246 openssl pkcs8 -in key.pem -topk8 -out enckey.pem
248 Convert a private key to PKCS#8 unencrypted format:
250 openssl pkcs8 -in key.pem -topk8 -nocrypt -out enckey.pem
252 Convert a private key to PKCS#5 v2.0 format using triple DES:
254 openssl pkcs8 -in key.pem -topk8 -v2 des3 -out enckey.pem
256 Convert a private key to PKCS#5 v2.0 format using AES with 256 bits in CBC
257 mode and B<hmacWithSHA512> PRF:
259 openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -v2prf hmacWithSHA512 -out enckey.pem
261 Convert a private key to PKCS#8 using a PKCS#5 1.5 compatible algorithm
264 openssl pkcs8 -in key.pem -topk8 -v1 PBE-MD5-DES -out enckey.pem
266 Convert a private key to PKCS#8 using a PKCS#12 compatible algorithm
269 openssl pkcs8 -in key.pem -topk8 -out enckey.pem -v1 PBE-SHA1-3DES
271 Read a DER unencrypted PKCS#8 format private key:
273 openssl pkcs8 -inform DER -nocrypt -in key.der -out key.pem
275 Convert a private key from any PKCS#8 encrypted format to traditional format:
277 openssl pkcs8 -in pk8.pem -traditional -out key.pem
279 Convert a private key to PKCS#8 format, encrypting with AES-256 and with
280 one million iterations of the password:
282 openssl pkcs8 -in key.pem -topk8 -v2 aes-256-cbc -iter 1000000 -out pk8.pem
286 Test vectors from this PKCS#5 v2.0 implementation were posted to the
287 pkcs-tng mailing list using triple DES, DES and RC2 with high iteration
288 counts, several people confirmed that they could decrypt the private
289 keys produced and Therefore it can be assumed that the PKCS#5 v2.0
290 implementation is reasonably accurate at least as far as these
291 algorithms are concerned.
293 The format of PKCS#8 DSA (and other) private keys is not well documented:
294 it is hidden away in PKCS#11 v2.01, section 11.9. OpenSSL's default DSA
295 PKCS#8 private key format complies with this standard.
299 There should be an option that prints out the encryption algorithm
300 in use and other details such as the iteration count.
307 L<openssl-genrsa(1)>,
312 The B<-iter> option was added in OpenSSL 1.1.0.
316 Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
318 Licensed under the Apache License 2.0 (the "License"). You may not use
319 this file except in compliance with the License. You can obtain a copy
320 in the file LICENSE in the source distribution or at
321 L<https://www.openssl.org/source/license.html>.