OpenSSL PEM formatted keys cheat sheet for Windows Users: ---------------------------------------------------------- Public Key (SubjecPublicKeyInfo): -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEB ..... Private Key (Traditional SSLeay RSAPrivateKey format) Encrypted: -----BEGIN RSA PRIVATE KEY----- Proc-Type: 4,ENCRYPTED DEK-Info: DES-EDE3-CBC,24A667C253F8A1B9 mKz ..... Private Key (Traditional SSLeay RSAPrivateKey format) UNEncrypted: -----BEGIN RSA PRIVATE KEY----- MIICXQIBAAKBgQCcHVm ..... PKCS #8 EncryptedPrivateKeyInfo Encrypted Format: -----BEGIN ENCRYPTED PRIVATE KEY----- MIICojAcBgoqhkiG9w0BD ..... PKCS #8 PrivateKeyInfo UNEncrypted Format: -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0B ...... NOTES For Win32 Users: --------------------- (1) OpenSSL on Win32 generates PEM format files with single LF (0x0A) line separator. For "pretty-print" display in Win, drag PEM file into IE/Netscape browser. (2) The "traditional" SSLeay format encrypted private key contains algorithm information at PEM header level, and thus can NOT be represented as DER format. (3) OpenSSL generated unencrypted PKCS#8 PrivateKeyInfo DER blobs are directly compatible/readable with Java 2 v1.4.2+: e.g. (a) generate RSA 2048 bit keypair; write as traditional encrypted PEM format: OpenSSL genrsa -des3 -out privkey.pem 2048 (b) convert to unencrypted PKCS #8 PrivateKeyInfo DER format: OpenSSL pkcs8 -in privkey.pem -topk8 -nocrypt -outform DER -out privkeyinfo (4) OpenSSL generated encrypted PKCS #8 EncryptedPrivateKeyInfo blobs should be readable by Java 2 EncryptedPrivateKeyInfo class. However this class has implementation bugs which does NOT recognize the encryption algorithm parameter! Sample Partial ASN.1 Dump of unencrypted PKCS #8 PrivateKeyInfo for 2048 bit RSA key: (order is: Modulus, Public Exponent, Private Exponent, P, Q, Exp P, Exp Q, Crt Coeff) ------------------------------------------------------------------------------------- 0 30 1214: SEQUENCE { 4 02 1: INTEGER 0 7 30 13: SEQUENCE { 9 06 9: OBJECT IDENTIFIER rsaEncryption (1 2 840 113549 1 1 1) 20 05 0: NULL : } 22 04 1192: OCTET STRING, encapsulates { 26 30 1188: SEQUENCE { 30 02 1: INTEGER 0 33 02 257: INTEGER : 00 C9 28 90 41 23 83 63 A0 86 34 FE AA 56 71 96 ............ 294 02 3: INTEGER 65537 299 02 257: INTEGER : 00 BB 0E C4 6E 3E 66 FC EB 16 42 0B 9B 3C BD 6E ............ 560 02 129: INTEGER : 00 EC B7 A9 46 7B EC DA 97 7C 36 C1 63 A0 87 22 ............ 692 02 129: INTEGER : 00 D9 8B 61 61 36 93 E1 EA EE D0 09 2D 05 1D 8B ............ 824 02 128: INTEGER : 03 36 F3 4B 8B BF 49 B0 A8 F5 2D 67 26 F4 EE D9 ............ 955 02 128: INTEGER : 06 DC 79 86 CA 64 E1 A4 3A 41 FF 78 17 08 36 85 ............ 1086 02 129: INTEGER : 00 90 DF 77 92 4B B9 A1 69 30 23 F6 7B E9 CD 73 ............ : } : } : } --------------------------------------------------------------------------- Useful References: ------------------ http://java.sun.com/j2se/1.5.0/docs/api/java/security/Key.html http://www.openssl.org/docs/apps/pkcs8.html