On Wed, Jun 09, 2010, Robinson, Richard L (Rick) wrote: > I was evaluating openssl-1.0.0a and performed a PKCS12 conversion to PEM > using the following command: > > openssl pkcs12 -in myfile.p12 -nodes -out myfile.pem > > However, I noticed that in the resulting PEM file the preamble for the > resulting private key displayed "-----BEGIN PRIVATE KEY-----" > > If I performed the same command using openssl-0.9.8k, the preamble for > the private key is displayed as "-----BEGIN RSA PRIVATE KEY-----" (which > is consistent with prior versions of openssl). > > I also noticed that the extracted private key is different when I use > 1.0.0a. It is smaller but the certificate extracted from the p12 file is > the same for both versions of openssl. > > I believe this may be due to a FIPS flag, but I cannot confirm that in > reviewing the config files or code (but it may be there). > > Does anybody know why the premable and private key is different when I > use 1.0.0a (it is causing me some import problems of the private key > with other software)? >
OpenSSL 0.9.8 used what I've called the "traditional" private key format which was unchanged since SSLeay, non-standard, no private key iteration count and using the deprecated MD5 algorithm. FIPS mode in 0.9.8 (where MD5 use is illegal) and 1.0.0 in general now uses PKCS#8 format. Steve. -- Dr Stephen N. Henson. OpenSSL project core developer. Commercial tech support now available see: http://www.openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
