Skip to content

Latest commit

 

History

History
73 lines (64 loc) · 2.42 KB

key-formats.md

File metadata and controls

73 lines (64 loc) · 2.42 KB
Raw

Key formats memo

According to Wikipedia, PKCS is a group of standards describing, among others, how to store private keys and other public-key cryptography items. Below, the standards that are relevant for EasyRSA and this role are listed. The list is not meant to fully cover the capabilities of each standard, it is only meant as quick reference for a PKI user.

key header below means the human text you see when you open the file with a text editor.

Private key storage

Two standards are used to store private keys:

  • PKCS#1:
    • This is the plain old RSA syntax for storing keys.
    • key header:
      • unencrypted: BEGIN RSA PRIVATE KEY
      • encrypted: BEGIN RSA PRIVATE KEY + encryption info header
    • easyrsa commands:
      • easyrsa build-ca
      • easyrsa export-p1
    • openssl commands:
      • produce: openssl genrsa
      • read: openssl rsa -in file -text
  • PKCS#8:
    • A private key format that, in the key data, also includes the key type. The key type may be RSA, in which case the PKCS#8 file contains: key-type(RSA) + PKCS#1
    • key header:
      • unencrypted: BEGIN RSA PRIVATE KEY
      • encrypted: BEGIN RSA PRIVATE KEY
    • easyrsa commands:
      • easyrsa gen-req
      • easyrsa export-p8
    • openssl commands:
      • produce: openssl pkcs8
      • read: openssl rsa -in file -text

Certificate storage

  • X.509:
    • The classic certificate format.
    • key header: BEGIN CERTIFICATE
    • easyrsa commands:
      • easyrsa build-ca
      • easyrsa gen-req
    • openssl commands:
      • produce: openssl req -x509
      • read: openssl x509 -in file -text
  • PKCS#7:
    • A format to bundle signed/encryppted data, usually together with the certificate in order to allow verification of the authenticity. Omitting the data, leaves just a certificate, making PKCS#7 a way to distribute certificates.
    • key header: BEGIN PKCS7
    • easyrsa commands: easyrsa export-p7
    • openssl commands:
      • produce: openssl crl2pkcs7
      • read: openssl pkcs7

Private key and Certificate Bundles

  • PKCS#12:
    • Puts together private keys with their corresponding certificates, always protected by an, even empty, password.
    • key header: -
    • easyrsa commands: easyrsa export-p12
    • openssl commands:
      • produce: openssl pkcs12
      • read: openssl pkcs12 -info -in file