cli icon indicating copy to clipboard operation
cli copied to clipboard

Published 20 hours ago • verified publisher icon smallstep

Use PKCS #8 by default for private keys

Open maraino opened this issue 5 years ago • 4 comments

~~Add option to save a private key using PKCS #8~~

Description

Some frameworks do not support PKCS #1 OR SEC1 EC formats for the private key and require the use of PKCS #8. See https://github.com/smallstep/autocert/issues/17#issuecomment-725966689

~~We should add the flag --pkcs8 or --format pkcs8 to at least the following commands:~~

  • ~~step ca certificate~~
  • ~~step ca sign~~
  • ~~step ca renew~~

Autocert should also support this option.

Currently we can transform a PKCS #1 or SEC1 EC key to PKCS #8 using:

step crypto key format --pkcs8 --pem --no-password --insecure --out site.pkcs8.pem site.pem

Update

We should default to store private keys, specially the encrypted ones using PKCS#8 and perhaps add a way to use PKCS #1 / SEC1 EC on step ca commands.

maraino avatar Nov 12 '20 19:11 maraino

--key-format

dopey avatar Nov 17 '20 18:11 dopey

Consider to use PKCS#8 by default, DecryptPEMBlock and EncryptPEMBlock have been deprecated, see https://golang.org/pkg/crypto/x509/#DecryptPEMBlock

maraino avatar Feb 22 '21 22:02 maraino

Any updates on this one? We're using Azure which requires pkcs8 to import to key vault, so this would be nice.

peteroneilljr avatar Aug 17 '23 21:08 peteroneilljr

@peteroneilljr not done yet, but you can convert to pkcs#8 using:

step crypto key format --pem --pkcs8 my.key > my.p8

If you don't want a password protected key, you must use --no-password --insecure

maraino avatar Aug 18 '23 00:08 maraino