Converting PKCS#1 RSA key to PKCS#8 format
Problem
- I needed to load a private key into the Java keystore at runtime to use for mutual TLS
- I had an
RSA Private Keyin PKCS#1 - It’s easier to work with PKCS#8 format keys when loading them into Java applications
Solution
- Convert the original PKCS#1 format key into a PKCS#8 format ready to load
Worked Example
- I had an existing key but for this example we’ll generate a new example key:
openssl genrsa -f4 -out rsa.key 2048 - This generates a key in PKCS#1 format like:
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEArKnetE3gAf7srZfKZoZGgfHnayCUDmgzYSRYN4LhsNdv01LS ehWaQON/QmysBHQ/DVBlXJV4tQm1tDvdgUSrtQ4MHr3V2T0du/cbd1boO4O/0bcw ...... omitted for brevity ...... -----END RSA PRIVATE KEY----- - Convert the
rsa.keyto PKCS#8 format using:openssl pkcs8 -topk8 -inform PEM -outform DER -nocrypt -in rsa.key -out rsa.key.der rsa.key.dergenerated is in binary format so isn’t easily viewable- You can confirm that the conversion completed successfully by viewing it:
openssl rsa -in rsa.key.der -inform DER - This prints out:
-----BEGIN RSA PRIVATE KEY----- MIIEogIBAAKCAQEArKnetE3gAf7srZfKZoZGgfHnayCUDmgzYSRYN4LhsNdv01LS ehWaQON/QmysBHQ/DVBlXJV4tQm1tDvdgUSrtQ4MHr3V2T0du/cbd1boO4O/0bcw ...... omitted for brevity ...... -----END RSA PRIVATE KEY----- - This should match the contents of the original
rsa.key - We can now use this and load it into the Java keystore at runtime for our needs