When converting a password-protected PEM/PKCS1-encoded private key to DER format one is not able to encrypt the key, OpenSSL automagically asks for the password and writes the plain-text key in the output file.
However, I understand that PKCS8-encoding does support encryption when converted to DER format, my problem is that I can't make OpenSSL write an encrypted file. I have tried:
openssl pkey -inform PEM -in key_pkcs8_encrypted.pem -outform DER -out key_pkcs8_encrypted.der
...but OpenSSL asks for the password and writes a decrypted file (verified by diffing it with the DER version of the decrypted PEM key).
I have also tried:
openssl rsa -des3 -in key_pkcs8_unencrypted.pem -outform DER -out key_pkcs8_encrypted.der
...in the hope that OpenSSL would ask for a password and encrypt the output file, as it does in the -outform PEM
case but it does not, it just writes an unencrypted file.
And finally I have tried:
openssl rsa -des3 -in key_pkcs8_unencrypted.pem -passout pass:mypassword -outform DER -out key_pkcs8_encrypted.der
...but that also writes an unencrypted file.
Am I correct that PEM/PKCS8 when converted to DER does support encryption and, if so, does anyone know how I might persuade OpenSSL to do it for me?
Edit: I am aware of this post but it doesn't address the part about how OpenSSL can be asked to generate a password-protected DER file.