OpenSSL generates PKCS#8 private and public keys

build environment

openssl version
OpenSSL 1.1.1q 

Generate PKCS #1 private key

openssl genrsa -out private#1.pem

PKCS#1 generated by default

-----BEGIN RSA PRIVATE KEY-----
密钥内容
-----END RSA PRIVATE KEY-----

Generate PKCS#8 private key

openssl pkcs8 -topk8 -inform PEM -in private#1.pem -outform PEM -nocrypt -out private#8.pem

Use the generated PKCS #1 private key to generate a PKCS #8 private key through the command

-----BEGIN PRIVATE KEY-----
密钥内容
-----END PRIVATE KEY-----

The obvious difference between PKCS#8 and PKCS#1 is that the RSA logo in BEGIN and END is removed, and the comparison content is not the same. If you want to see the specific structural difference, you can use the ASN1 online analysis tool to paste the key . Through decoding, it can be seen that there are obvious differences in the structure of the two.

Generate PKCS#8 public key

openssl  rsa -in private#1.pem -pubout -out public#8.pem

The content is as follows

-----BEGIN PUBLIC KEY-----
密钥内容
-----END PUBLIC KEY-----

Careful friends may find that the generated public key is generated by the PKCS #1 private key. Will the result obtained in this way be a PKCS #8 public key? You can see from the generated results that the obtained is indeed a PKCS #8 public key (because there is no RSA logo). But is it consistent with the result generated by PKCS #8 private key ? The results are consistent, if you don't believe it, you can try it.

openssl  rsa -in private#8.pem -pubout -out public#8_2.pem

Is it okay if you want a PKCS #1 public key, of course

Generate PKCS#1 public key from PKCS#8 public key

openssl rsa -pubin -in public#8.pem -RSAPublicKey_out -out public#1.pem

If the generated public key is PKCS#1 by default, can you generate a PKCS#8 public key, of course

Generate PKCS#8 public key from PKCS#1 public key

openssl rsa -in public#1.pem -pubout -RSAPublicKey_in -out public#8.pem

Summarize

OpenSSL 1.1.1q (should be all 1.1.x versions, but not tested others) generates PKCS#1 private key by default. If PKCS#8 private key needs to be converted, the default generated is PKCS#8 public key. If necessary PKCS#1 public key, which needs to be converted.