https://blog.ndpar.com/2017/04/17/p1-p8/
RFC8017 (PKCS #1 v.2.2) Defines the traditional format for RSA keys. Two structures:
-----BEGIN RSA PRIVATE KEY----- RSAPrivateKey -----END RSA PRIVATE KEY-----
and
-----BEGIN RSA PUBLIC KEY----- RSAPublicKey -----END RSA PUBLIC KEY-----
Commands
Generate RSA private key
openssl genrsa -out private.pem 2048 Extract public key from RSA private key
openssl rsa -in private.pem -out public.pem -RSAPublicKey_out RFC5958 (former PKCS #8, aka .p8) Defines the format for any private key. Two structures:
-----BEGIN PRIVATE KEY----- PrivateKeyInfo ::= OneAsymmetricKey -----END PRIVATE KEY-----
and
-----BEGIN ENCRYPTED PRIVATE KEY----- EncryptedPrivateKeyInfo -----END ENCRYPTED PRIVATE KEY-----
The corresponding PEM formats are described in RFC7468 Section 10 and Section 11.
Commands
Convert PKCS #1 PKCS #8
openssl pkcs8 -in private-pkcs1.pem -topk8 -out private-pkcs8.pem -nocrypt openssl pkcs8 -in private-pkcs1.pem -topk8 -out private-pkcs8-enc.pem Convert PKCS #8 PKCS #1
openssl rsa -in private-pkcs8.pem -out private-pkcs1.pem RFC5280 (PKI X.509) Among other things, defines the format for any public key
-----BEGIN PUBLIC KEY----- SubjectPublicKeyInfo -----END PUBLIC KEY-----
The PEM format is described in RFC7468.
Commands
Convert RSA public key between X.509 and PKCS #1 formats
openssl rsa -pubin -in public.pem -RSAPublicKey_out openssl rsa -RSAPublicKey_in -in pkcs1-public.pem -pubout Extract public key from RSA private key
openssl rsa -in private.pem -out public.pem -pubout Extract public key from X.509 CSR
openssl req -in cert.csr -pubkey -noout Extract public key from X.509 certificate
openssl x509 -in cert.crt -inform pem -pubkey -noout openssl x509 -in cert.cer -inform der -pubkey -noout Convert X.509 certificate between DER and PEM formats
openssl x509 -in cert.cer -inform der -out cert.crt -outform pem openssl x509 -in cert.crt -inform pem -out cert.cer -outform der