Openssl: The Start
What is PKCS#12 & PKCS#8?
PKCS#12 format preferred for exchanging certificates that have private keys.
PEM format certificates can be .pem, .crt,.cer, and .key They can be Server certs, intermediate certs, and private keys. Files starts and ends with BEGIN and END Statements
DER format is binary form of ASCII PEM format. Save as .cer to distinguish between a PEM format file, open it in Notepad. Used to tranport public keys, otherwise use PKCS12 as it is safer
PKCS#8 not a file type, but a syntax for private-key information.
PKCS#12, .p12 or .pfx Archive file format for storing many objects in a single binary data file. See PEM format certificates. You can put the private key together with a X.509 certificate and even the whole chain of trust. Password protects the private certificate that can be in the file, and therefore the best way to tranport private keys. The objects inside a PKCS#12 file are called SafeBags, which each can be signed and encrypted.
How to extract key and cert from a PKCS#12 file?
# Extract encrypted key
openssl pkcs12 -in [yourfile.pfx] -nocerts -out [thekey.pem]
# Decrypt the key
openssl rsa -in [thekey.pem] -out [decryptedkey.pem]
#Extract the cert
openssl pkcs12 -in [yourfile.pfx] -clcerts -nokeys -out [thecertficate.pem]
Syntax fixes
Converting the key to PKCS#8 syntax from traditional format Key differences between Traditional syntax
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
whereas PKSC#8 syntax is
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
To convert syntax to PKSC#8 use
openssl pkcs8 -in <private key file> -topk8 -nocrypt -out <new private key file>