2

Assuming a private_key.pem and the associated certificate client_cert.pem signed by CA (CSR signed with private_key.pem).

Next, I create the pfx container with:

# create pfx with private_key.pem and client_certificate.pem
openssl pkcs12 -export -in client_cert.pem -inkey private_key.pem -certfile client_cert.pem -out client_cert.pfx

# extract from the pfx the private_key that was used.
openssl pkcs12 -in client_cert.pfx -nocerts -out private_key_extracted.pem -passin pass: -nodes

Comparing the two keys I see that they differ. The base64 part differs as well as the headers:

private_key.pem -> -----BEGIN RSA PRIVATE KEY-----

private_key_extracted.pem -> -----BEGIN PRIVATE KEY-----

Any tips on why this is the case? Are these the same private keys?

thanosam
  • 23
  • 4
  • 4
    `BEGIN RSA PRIVATE KEY` signifies PKCS#1 format, whereas `BEGIN PRIVATE KEY` signifies PKCS#8 format. You can convert private_key_extracted.pem to PKCS#1 format by doing: `openssl rsa -in private_key_extracted.pem -out private_key_extracted-pkcs1.pem`. If you do that, does private_key_extracted-pkcs1.pem match the original private_key.pem? – mti2935 Sep 24 '21 at 15:43
  • @mti2935 Yes, that was it, now they are identical. Thank you. – thanosam Sep 24 '21 at 19:19
  • @mti2935: Comments can be deleted. Put your comment to an answer. It can be helpful to many users. – mentallurg Sep 24 '21 at 22:11
  • Alternatively you can convert legacy/PKCS1 to PKCS8-clear with `openssl pkcs8 -topk8 -nocrypt` or more simply `openssl pkey`, and see that _those_ are the same. Note both legacy PEM and PKCS8 files can be password-encrypted, which uses salt (as it should, although the legacy encryption uses a bad PBKDF, namely Eric's EVP_BytesToKey with MD5 and _one_ iteration), so the same key _and_ format (i.e. content) encrypted twice with the same password will give different ciphertext in the PEM body, although your input apparently wasn't and your output isn't due to `pkcs12 (import) -nodes`. – dave_thompson_085 Sep 25 '21 at 00:03
  • @mentallurg Thanks for the suggestion. DONE. – mti2935 Sep 25 '21 at 02:54

1 Answers1

4

BEGIN RSA PRIVATE KEY signifies PKCS#1 format, whereas BEGIN PRIVATE KEY signifies PKCS#8 format. You can convert private_key_extracted.pem to PKCS#1 format by doing:

openssl rsa -in private_key_extracted.pem -out private_key_extracted-pkcs1.pem

If you do that, private_key_extracted-pkcs1.pem should match the original private_key.pem (as confirmed in the comments following the question).

mti2935
  • 19,868
  • 2
  • 45
  • 64