Converting a Traditional PEM-Encoded Encrypted Private Key to PKCS#8 Format

This article discusses how to convert an existing traditional PEM-encoded encrypted private key into the compatible PKCS#8 format for use with Secure Server - FIPS. (To convert an existing PEM-encoded PKCS#8 format encrypted private key, refer to Converting a PEM-Encoded PKCS#8 Format Encrypted Private Key to PKCS#8 Format.)

General Information

Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used.

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

Procedure

These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions

The private key you want to convert must already be an RSA private key and be between 1024 and 4096 bits in length, inclusive. It is only possible to convert the storage format for the private key. Changing the type of key and its length is not possible and requires generation of a new private key.

  1. Convert the existing traditional PEM encoded encrypted private key to an unencrypted PEM format.

  2. C:\Openssl\bin\openssl.exe rsa -in <Traditional PEM Key Filename> -out <Unencrypted Key Filename>

    Where:

    For example, type:

    >C:\Openssl\bin\openssl.exe rsa -in my_key.key -out my_unencrypted_key.pem

  3. Convert the unencrypted key to a compatible pkcs8 format

  4. >C:\Openssl\bin\openssl.exe pkcs8 -v1 PBE-SHA1-3DES -topk8 -in <Unencrypted Key Filename> -out <Encrypted Key Filename>

    Where:

    For example, type:

    >C:\Openssl\bin\openssl.exe pkcs8 -v1 PBE-SHA1-3DES -topk8 -in my_unencrypted_key.pem -out my_encrypted_key.key

  5. Delete the unencrypted private key.