[slass@jenkins01 ~]$ openssl version OpenSSL 1.0.0-fips 29 Mar 2010 [slass@jenkins01 ~]$ uname -a Linux jenkins01 2.6.32-358.18.1.el6.x86_64 #1 SMP Wed Aug 28 17:19:38 UTC 2013 x86_64 x86_64 x86_64 GNU/Linux [slass@jenkins01 ~]$
According to the docs: http://www.openssl.org/docs/apps/pkcs8.html ========================================================================================================= DESCRIPTION The pkcs8 command processes private keys in PKCS#8 format. It can handle both unencrypted PKCS#8 PrivateKeyInfo format and EncryptedPrivateKeyInfo format with a variety of PKCS#5 (v1.5 and v2.0) and PKCS#12 algorithms. ________________________________ COMMAND OPTIONS -topk8 Normally a PKCS#8 private key is expected on input and a traditional format private key will be written. With the -topk8 option the situation is reversed: it reads a traditional format private key and writes a PKCS#8 format key. ============================================================================================================ ***************************************************************************************************************** BUG: The "Normally" behavior, that is "PKCS8 in, traditional format private key out" does not work. The actual behavior is "PKCS8 in, PKCS8 out." ****************************************************************************************************************** Transcript showing unexpected behavior: # generate a 2048 bit RSA key [slass@jenkins01 ~]$ openssl genrsa -out bogus.key 2048 Generating RSA private key, 2048 bit long modulus .................................................................................+++ .+++ e is 65537 (0x10001) [slass@jenkins01 ~]$ cat bogus.key -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAq6cIq+H9v08l0660A8zi5wr4rVevIMZaazw7mdOcHwwuRECH 3u77bMULhwdXlbL9OhDmq1NcUlM183ymCnAldv1xoSmdvx1greHOpIOgJ7wJOWkh F86EFNJaDgl59U6KZqJ4/4rShrrYtvyREzEzBGtwhB5vzLFzuCEAF6akWPSIPv51 l46DW+110BVbDKf9iHW3TudaqWQA6wrH+4t7ry+sqXPSt3vtDMK+mMwNLOf7DC6R ynbSDXk2IbEsE5TFy0uvAQyi1jENuU4l69l/CvPabjCMEOah5mKeAgat1fulLvsK XmeivUZpZYSH22tHWqfylPVwoHspb3MMfclOTQIDAQABAoIBAGKPMB1xT3+PdIrN HzOnawl6dTsiw72v5q74EMjMhjIVjmNGIj3RPrA/m9TWVGXyNhAnMCtjW/kxKiM6 iSQpLHncIGiHOrpHpgFxTHON2GG4SBucz5GZ1KEX/vlcW5iMlk9ELvGbxjHyCwlW j/5TG5YIErzptQv1QBqTaDgsSOWB4Tcy/m9v+6c8P47ZOKBlALBsHJG0ktLreacB prRI8/rRPALxe6vw7dcjs6h9GzQqRKcJrj4bcYqIwD9qjDV9MOjFk8Yr7aLPNWX5 tbwOrUPyleAveOeUR56FI0LVR9Dgq6QrATGFNBlACGxFs5zr23dNkzH4oEMfISGB EAt0SIECgYEA5D7wvUyMsJzot6lUe9dAoFnPWpN1i6cRA0RDUzFC2EP359Vz6shj CfPUf5J7HN5yZyjQdV0GrAuZY36EVCjuLvf0FIqT11Fg6cbYZrdYUkmMidhjVzhp 9qLtdur0vqt89EuTciDkuwe7FSYSu8zxoDUeoAlja/DMi8J8G0oa430CgYEAwIZm QfiJjQiS+epyEY3VL4KfJOvEEWImfqlv447zGDc4bg92RoOsJeqzNB/1ZgS0MA0D iimkBH7YTo+sEEllATZgz5+v3EbN03HqOzMdLJMI5x5YCUx8L0PcVGmWd6zyjrsq tiEjyXkhyc2S3GE0TLZQAofKAY79mRYHtUNhbxECgYAAjqbHz4gIZlmrGR67rqrZ uV5oOjPvQ1knSONhMJ2ZKZFRX5QI3rRfMdky9oiWaXSeC9t2beO2R9D4DTcFfZQX SUOvSSdTPz+dUn70wT3V9ZgCPiT/8YNQttUdlTVDwedsMUMK5Emqqzopsw4Yp0dv vLF2co9rlArrzG3BI00tgQKBgCNoVGQrpniGrClEYegykpOjTUuIBM5Bo9zFoqtS PgklFr6/HzyGuOFcUcrzWbmCgfUYX59IWz7saTHBoJ56MRZQ/usQblJvvyj1GWP7 2ZC6FfgTj5NeOrSioWHw7VhjOVTgvVEztRY3rewkX68iPXEiUoK0oIU63A8Miyxe EQxRAoGBAL590zYRB8UZmj6KwNrHKoKgmqDa8N7YbmQnyTPvtjbNd/O3ZDKOj7Fw 8R8H51oIjDiyprQvVSICggJpdq59V8mA/oHISxL/ZGC9CH2XTQPDH9+Lne9ZJeTz BzGfQmNQ/2VkeAOhPdALPonypencNTMY8+4VY6ygME/sAVpg8EQS -----END RSA PRIVATE KEY----- # create an (unencrypted) PKCS8 object from the private key [slass@jenkins01 ~]$ openssl pkcs8 -nocrypt -topk8 -in bogus.key -out bogus.key.pkcs8 [slass@jenkins01 ~]$ cat bogus.key.pkcs8 -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrpwir4f2/TyXT rrQDzOLnCvitV68gxlprPDuZ05wfDC5EQIfe7vtsxQuHB1eVsv06EOarU1xSUzXz fKYKcCV2/XGhKZ2/HWCt4c6kg6AnvAk5aSEXzoQU0loOCXn1Topmonj/itKGuti2 /JETMTMEa3CEHm/MsXO4IQAXpqRY9Ig+/nWXjoNb7XXQFVsMp/2IdbdO51qpZADr Csf7i3uvL6ypc9K3e+0Mwr6YzA0s5/sMLpHKdtINeTYhsSwTlMXLS68BDKLWMQ25 TiXr2X8K89puMIwQ5qHmYp4CBq3V+6Uu+wpeZ6K9RmllhIfba0dap/KU9XCgeylv cwx9yU5NAgMBAAECggEAYo8wHXFPf490is0fM6drCXp1OyLDva/mrvgQyMyGMhWO Y0YiPdE+sD+b1NZUZfI2ECcwK2Nb+TEqIzqJJCksedwgaIc6ukemAXFMc43YYbhI G5zPkZnUoRf++VxbmIyWT0Qu8ZvGMfILCVaP/lMblggSvOm1C/VAGpNoOCxI5YHh NzL+b2/7pzw/jtk4oGUAsGwckbSS0ut5pwGmtEjz+tE8AvF7q/Dt1yOzqH0bNCpE pwmuPhtxiojAP2qMNX0w6MWTxivtos81Zfm1vA6tQ/KV4C9455RHnoUjQtVH0OCr pCsBMYU0GUAIbEWznOvbd02TMfigQx8hIYEQC3RIgQKBgQDkPvC9TIywnOi3qVR7 10CgWc9ak3WLpxEDRENTMULYQ/fn1XPqyGMJ89R/knsc3nJnKNB1XQasC5ljfoRU KO4u9/QUipPXUWDpxthmt1hSSYyJ2GNXOGn2ou126vS+q3z0S5NyIOS7B7sVJhK7 zPGgNR6gCWNr8MyLwnwbShrjfQKBgQDAhmZB+ImNCJL56nIRjdUvgp8k68QRYiZ+ qW/jjvMYNzhuD3ZGg6wl6rM0H/VmBLQwDQOKKaQEfthOj6wQSWUBNmDPn6/cRs3T ceo7Mx0skwjnHlgJTHwvQ9xUaZZ3rPKOuyq2ISPJeSHJzZLcYTRMtlACh8oBjv2Z Fge1Q2FvEQKBgACOpsfPiAhmWasZHruuqtm5Xmg6M+9DWSdI42EwnZkpkVFflAje tF8x2TL2iJZpdJ4L23Zt47ZH0PgNNwV9lBdJQ69JJ1M/P51SfvTBPdX1mAI+JP/x g1C21R2VNUPB52wxQwrkSaqrOimzDhinR2+8sXZyj2uUCuvMbcEjTS2BAoGAI2hU ZCumeIasKURh6DKSk6NNS4gEzkGj3MWiq1I+CSUWvr8fPIa44VxRyvNZuYKB9Rhf n0hbPuxpMcGgnnoxFlD+6xBuUm+/KPUZY/vZkLoV+BOPk146tKKhYfDtWGM5VOC9 UTO1Fjet7CRfryI9cSJSgrSghTrcDwyLLF4RDFECgYEAvn3TNhEHxRmaPorA2scq gqCaoNrw3thuZCfJM++2Ns1387dkMo6PsXDxHwfnWgiMOLKmtC9VIgKCAml2rn1X yYD+gchLEv9kYL0IfZdNA8Mf34ud71kl5PMHMZ9CY1D/ZWR4A6E90As+ifKl6dw1 Mxjz7hVjrKAwT+wBWmDwRBI= -----END PRIVATE KEY----- # use documented behavior to convert pkcs8 back to "old format private key" [slass@jenkins01 ~]$ openssl pkcs8 -nocrypt -in bogus.key.pkcs8 -out bogus.key.pkcs8.key ##### # # EXPECTED BEHAVIOR: bogus.key is the same as bogus.key.pkcs8.key # ##### # # ACTUAL RESULTS: bogus.key.pkcs8.key is still a PKCS8 object # ##### [slass@jenkins01 ~]$ diff bogus.key.pkcs8 bogus.key.pkcs8.key # no difference [slass@jenkins01 ~]$ diff bogus.key bogus.key.pkcs8.key 1,27c1,28 < -----BEGIN RSA PRIVATE KEY----- < MIIEowIBAAKCAQEAq6cIq+H9v08l0660A8zi5wr4rVevIMZaazw7mdOcHwwuRECH < 3u77bMULhwdXlbL9OhDmq1NcUlM183ymCnAldv1xoSmdvx1greHOpIOgJ7wJOWkh < F86EFNJaDgl59U6KZqJ4/4rShrrYtvyREzEzBGtwhB5vzLFzuCEAF6akWPSIPv51 < l46DW+110BVbDKf9iHW3TudaqWQA6wrH+4t7ry+sqXPSt3vtDMK+mMwNLOf7DC6R < ynbSDXk2IbEsE5TFy0uvAQyi1jENuU4l69l/CvPabjCMEOah5mKeAgat1fulLvsK < XmeivUZpZYSH22tHWqfylPVwoHspb3MMfclOTQIDAQABAoIBAGKPMB1xT3+PdIrN < HzOnawl6dTsiw72v5q74EMjMhjIVjmNGIj3RPrA/m9TWVGXyNhAnMCtjW/kxKiM6 < iSQpLHncIGiHOrpHpgFxTHON2GG4SBucz5GZ1KEX/vlcW5iMlk9ELvGbxjHyCwlW < j/5TG5YIErzptQv1QBqTaDgsSOWB4Tcy/m9v+6c8P47ZOKBlALBsHJG0ktLreacB < prRI8/rRPALxe6vw7dcjs6h9GzQqRKcJrj4bcYqIwD9qjDV9MOjFk8Yr7aLPNWX5 < tbwOrUPyleAveOeUR56FI0LVR9Dgq6QrATGFNBlACGxFs5zr23dNkzH4oEMfISGB < EAt0SIECgYEA5D7wvUyMsJzot6lUe9dAoFnPWpN1i6cRA0RDUzFC2EP359Vz6shj < CfPUf5J7HN5yZyjQdV0GrAuZY36EVCjuLvf0FIqT11Fg6cbYZrdYUkmMidhjVzhp < 9qLtdur0vqt89EuTciDkuwe7FSYSu8zxoDUeoAlja/DMi8J8G0oa430CgYEAwIZm < QfiJjQiS+epyEY3VL4KfJOvEEWImfqlv447zGDc4bg92RoOsJeqzNB/1ZgS0MA0D < iimkBH7YTo+sEEllATZgz5+v3EbN03HqOzMdLJMI5x5YCUx8L0PcVGmWd6zyjrsq < tiEjyXkhyc2S3GE0TLZQAofKAY79mRYHtUNhbxECgYAAjqbHz4gIZlmrGR67rqrZ < uV5oOjPvQ1knSONhMJ2ZKZFRX5QI3rRfMdky9oiWaXSeC9t2beO2R9D4DTcFfZQX < SUOvSSdTPz+dUn70wT3V9ZgCPiT/8YNQttUdlTVDwedsMUMK5Emqqzopsw4Yp0dv < vLF2co9rlArrzG3BI00tgQKBgCNoVGQrpniGrClEYegykpOjTUuIBM5Bo9zFoqtS < PgklFr6/HzyGuOFcUcrzWbmCgfUYX59IWz7saTHBoJ56MRZQ/usQblJvvyj1GWP7 < 2ZC6FfgTj5NeOrSioWHw7VhjOVTgvVEztRY3rewkX68iPXEiUoK0oIU63A8Miyxe < EQxRAoGBAL590zYRB8UZmj6KwNrHKoKgmqDa8N7YbmQnyTPvtjbNd/O3ZDKOj7Fw < 8R8H51oIjDiyprQvVSICggJpdq59V8mA/oHISxL/ZGC9CH2XTQPDH9+Lne9ZJeTz < BzGfQmNQ/2VkeAOhPdALPonypencNTMY8+4VY6ygME/sAVpg8EQS < -----END RSA PRIVATE KEY----- --- > -----BEGIN PRIVATE KEY----- > MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCrpwir4f2/TyXT > rrQDzOLnCvitV68gxlprPDuZ05wfDC5EQIfe7vtsxQuHB1eVsv06EOarU1xSUzXz > fKYKcCV2/XGhKZ2/HWCt4c6kg6AnvAk5aSEXzoQU0loOCXn1Topmonj/itKGuti2 > /JETMTMEa3CEHm/MsXO4IQAXpqRY9Ig+/nWXjoNb7XXQFVsMp/2IdbdO51qpZADr > Csf7i3uvL6ypc9K3e+0Mwr6YzA0s5/sMLpHKdtINeTYhsSwTlMXLS68BDKLWMQ25 > TiXr2X8K89puMIwQ5qHmYp4CBq3V+6Uu+wpeZ6K9RmllhIfba0dap/KU9XCgeylv > cwx9yU5NAgMBAAECggEAYo8wHXFPf490is0fM6drCXp1OyLDva/mrvgQyMyGMhWO > Y0YiPdE+sD+b1NZUZfI2ECcwK2Nb+TEqIzqJJCksedwgaIc6ukemAXFMc43YYbhI > G5zPkZnUoRf++VxbmIyWT0Qu8ZvGMfILCVaP/lMblggSvOm1C/VAGpNoOCxI5YHh > NzL+b2/7pzw/jtk4oGUAsGwckbSS0ut5pwGmtEjz+tE8AvF7q/Dt1yOzqH0bNCpE > pwmuPhtxiojAP2qMNX0w6MWTxivtos81Zfm1vA6tQ/KV4C9455RHnoUjQtVH0OCr > pCsBMYU0GUAIbEWznOvbd02TMfigQx8hIYEQC3RIgQKBgQDkPvC9TIywnOi3qVR7 > 10CgWc9ak3WLpxEDRENTMULYQ/fn1XPqyGMJ89R/knsc3nJnKNB1XQasC5ljfoRU > KO4u9/QUipPXUWDpxthmt1hSSYyJ2GNXOGn2ou126vS+q3z0S5NyIOS7B7sVJhK7 > zPGgNR6gCWNr8MyLwnwbShrjfQKBgQDAhmZB+ImNCJL56nIRjdUvgp8k68QRYiZ+ > qW/jjvMYNzhuD3ZGg6wl6rM0H/VmBLQwDQOKKaQEfthOj6wQSWUBNmDPn6/cRs3T > ceo7Mx0skwjnHlgJTHwvQ9xUaZZ3rPKOuyq2ISPJeSHJzZLcYTRMtlACh8oBjv2Z > Fge1Q2FvEQKBgACOpsfPiAhmWasZHruuqtm5Xmg6M+9DWSdI42EwnZkpkVFflAje > tF8x2TL2iJZpdJ4L23Zt47ZH0PgNNwV9lBdJQ69JJ1M/P51SfvTBPdX1mAI+JP/x > g1C21R2VNUPB52wxQwrkSaqrOimzDhinR2+8sXZyj2uUCuvMbcEjTS2BAoGAI2hU > ZCumeIasKURh6DKSk6NNS4gEzkGj3MWiq1I+CSUWvr8fPIa44VxRyvNZuYKB9Rhf > n0hbPuxpMcGgnnoxFlD+6xBuUm+/KPUZY/vZkLoV+BOPk146tKKhYfDtWGM5VOC9 > UTO1Fjet7CRfryI9cSJSgrSghTrcDwyLLF4RDFECgYEAvn3TNhEHxRmaPorA2scq > gqCaoNrw3thuZCfJM++2Ns1387dkMo6PsXDxHwfnWgiMOLKmtC9VIgKCAml2rn1X > yYD+gchLEv9kYL0IfZdNA8Mf34ud71kl5PMHMZ9CY1D/ZWR4A6E90As+ifKl6dw1 > Mxjz7hVjrKAwT+wBWmDwRBI= > -----END PRIVATE KEY----- [slass@jenkins01 ~]$ ============================================================================================== So the behavior of pkcs8 does not agree with the documentation. You can work around this by using rsa, because rsa will accept either a PKCS8 object or a "traditional format private key", and will output a "traditional format private key". Thank you. -Mike Slass Seattle, WA ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org