Menu

Search

GlobalSCAPE Knowledge Base


Converting a Traditional PEM Encoded Encrypted Private Key to PKCS#8 Format


GlobalSCAPE 5
EFT Express (SMB) & Enterprise

THE INFORMATION IN THIS ARTICLE APPLIES TO:

  • EFT Server
  • EFT Server Enterprise
  • Secure FTP Server

DISCUSSION

This article discusses how to convert an existing traditional PEM-encoded encrypted private key into the compatible PKCS#8 format for use with EFT Server. (To convert an existing PEM-encoded PKCS#8 format encrypted private key, refer to Converting a PEM-Encoded PKCS#8 Format Encrypted Private Key to PKCS#8 Format.)

General Information

  • When operating in a FIPS-approved mode, PKI key/certificates must be between 1024- bits and 4096-bits, inclusive.
  • The supported cipher combinations allowed for SSL negotiation are limited to:
    • SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 256 bit AES encryption, and SHA1 HMAC
    • SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 168 bit 3DES encryption, and SHA1 HMAC
    • SSLv3/TLSv1 - RSA Key Exchange, RSA Authentication, 128 bit AES encryption, and SHA1 HMAC

Each of the above combinations uses RSA key exchange; therefore, RSA based key/certificates must be used.

  • In FIPS Mode, the private key must use the PKCS#8 format and PKCS#12 compatible encryption of the private key, which allows the use of the necessary strong encryption algorithm of 3DES encryption and SHA1 hashing.
  • Note that traditional PEM encoded encrypted private key files will typically start with the line:

-----BEGIN RSA PRIVATE KEY-----

Proc-Type: 4,ENCRYPTED

Procedure

These instructions assume you have downloaded and installed the Windows binary distribution of OpenSSL. Refer to Using OpenSSL for the general instructions

The private key you want to convert must already be an RSA private key and be between 1024 and 4096 bits in length, inclusive. It is only possible to convert the storage format for the private key. Changing the type of key and its length is not possible and requires generation of a new private key.

  1. Convert the existing traditional PEM encoded encrypted private key to an unencrypted PEM format.

     

    C:\Openssl\bin\openssl.exe rsa -in <Traditional PEM Key Filename> -out <Unencrypted Key Filename>

    Where:

    • <Traditional PEM Key Filename> is the input filename of the incompatible traditional format PEM encoded private key.
    • <Unencrypted Key Filename> is the output filename of the unencrypted private key in PEM format

    For example, type:

    >C:\Openssl\bin\openssl.exe rsa -in my_key.key -out my_unencrypted_key.pem

  2. Convert the unencrypted key to a compatible pkcs8 format.
  3. >C:\Openssl\bin\openssl.exe pkcs8 -v1 PBE-SHA1-3DES -topk8 -in <Unencrypted Key Filename> -out <Encrypted Key Filename>

    Where:

    • <Unencrypted Key Filename> is the input filename of the previously generated unencrypted private key.
    • <Encrypted Key Filename> is the output filename of the encrypted private key

    For example, type:

    >C:\Openssl\bin\openssl.exe pkcs8 -v1 PBE-SHA1-3DES -topk8 -in my_unencrypted_key.pem -out my_encrypted_key.key

  4. Delete the unencrypted private key.

Also In This Category


On a scale of 1-5, please rate the helpfulness of this article


Not Helpful
Very Helpful
Optionally provide private feedback to help us improve this article...

Thank you for your feedback!


Comments require login or registration.

Details
Last Modified: 7 Years Ago
Last Modified By: GlobalSCAPE 5
Type: HOWTO
Rated 2 stars based on 2 votes.
Article has been viewed 20K times.
Options
Find Similar