#65 Private key export is always PKCS#8 encoded


The Key Export dialog has a checkbox option for PKCS#8 to determine if the (PEM) key export file will be in "traditional" format or PKCS#8 format.Traditional encoding begins with "-----BEGIN RSA PRIVATE KEY-----", whereas PKCS#8 begins with "-----BEGIN PRIVATE KEY-----".

In XCA 0.9.0, the file is always created with PKCS#8 encoding regardless of the state of the checkbox.
In XCA 0.6.4, the file is created with PKCS#8 encoding only if the checkbox is selected.


  • Joe-S

    Joe-S - 2010-10-20

    (4) PEM key files (2) created with 0.6.4 amd (2) create with 0.9.0

  • Joe-S

    Joe-S - 2010-10-20

    Additional testing was done using Win32 OpenSSL binaries from
    (http://www.slproweb.com/products/Win32OpenSSL.html). It appears to be an OpenSSL bug that has found its way into XCA.

    The command "openssl pkcs8 -in key.pem" should accept a PKCS#8 file and output a traditional file.

    With OpenSSL v0.9.8o the above command produces the expected output; which starts with "-----BEGIN RSA PRIVATE KEY-----".

    However, under OpenSSL 1.0.0a the same command produces PKCS#8 output, starting with "-----BEGIN PRIVATE KEY-----".

  • Christian Hohnstaedt

    openssl/CHANGES states:
    Changes between 0.9.8k and 1.0

    *) Make PKCS#8 the default write format for private keys, replacing the
    traditional format. This form is standardised, more secure and doesn't
    include an implicit MD5 dependency.
    [Steve Henson]

    I will modify the XCA PEM-write function to only use PKCS#8 if requested.

  • Christian Hohnstaedt

    • status: open --> pending-fixed
  • SourceForge Robot

    • status: pending-fixed --> closed-fixed
  • SourceForge Robot

    This Tracker item was closed automatically by the system. It was
    previously set to a Pending status, and the original submitter
    did not respond within 14 days (the time period specified by
    the administrator of this Tracker).


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks