The "cryptographic algorithm" PFX file extracts the public key private key

Method 1:

Original PFX certificate

OpenSSL pkcs12-in myssl.pfx-nodes-out Server.pem

Extract private key

OpenSSL rsa-in server.pem-out Server.key

Present public key

OpenSSL x509-in server.pem-out server.crt

Method 2:

2. Extract key information from PFX and convert to key format (PFX using PKCS12 mode top up)

(1) Extract key pair

OpenSSL pkcs12-in 1.pfx-nocerts-nodes-out 1.key

If the PFX certificate is encrypted, you are prompted to enter a password. If the CER certificate is not installed, the password cannot be verified

(2) Extracting the private key from the key pair

OpenSSL rsa-in 1.key-out 1_pri.key

(3) Extracting the public key from a key pair

OpenSSL rsa-in 1.key-pubout-out 1_pub.key

(4) because the RSA algorithm uses the PKCS8 mode complement, the extracted private key needs to be further processed

OpenSSL pkcs8-topk8-inform pem-in 1_pri.key-outform pem-nocrypt

Copy the generated key from the window and save it as 1_pri_pkcs8.key

(5) Get key pair 1_pri_pkcs8.key and 1_pub.key

The private key conversion tool in the PKCS8 format. It handles the private key file in the pkcs#8 format. It can use a variety of pkcs#5 (v1.5 and v2.0) and PKCS#12 algorithms to handle the PKCS#8 privatekeyinfo format and the Encryptedprivatekeyinfo format without decryption.
Usage:
[CPP] View plaincopy
OpenSSL pkcs8 [-inform pem| DER] [-outform pem| DER] [-in filename] [-passin arg] [-out filename]
[-passout Arg] [-TOPK8] [-noiter] [-nocrypt] [-NOOCT] [-embed] [-nsdb] [-v2 ALG] [-v1 ALG] [-engine ID]
Option Description:
-inform pem| Der:: Input file format, der or PEM format. Der format is in der Standard format ASN1. The most commonly used is the PEM format, which is the Base64 encoding format.
-outform der| PEM: Output file format, der or PEM format.
-in FileName: The key file entered, which defaults to standard input. If the key is encrypted, you are prompted to enter a key password.
-passin arg: Enter the file password protection source.
-out FileName: Output file, default to standard output. If any cryptographic operation has been performed, a key value is prompted. The output file name cannot be the same as the file name entered.
-passout arg: Output file password protection source.
-TOPK8: It is common to enter a PKCS8 file and the traditional format private key file will be written out. When this option is set, the position is converted: Enter a private key file in a traditional format and output a file in pkcs#8 format.
The number of-noiter:mac protection calculations is 1.
-nocrypt:pkcs#8 key generation or input generally uses an appropriate key to encrypt the PKCS#8 encryptedprivatekeyinfo structure. When this option is set, an unencrypted privatekeyinfo structure will be output. This option has never encrypted the private key file and is only available when absolutely necessary. Some software, such as some Java code Signing software, uses an unencrypted private key file.
-NOOCT: The RSA private key file generated by this option is a bad format and some software will be used. In particular, the private key file must be accompanied by a eight-bit string, but some software only contains its own structure without wrapping the eight-bit string. The private key is not represented by a eight-bit group.
-embed: This option produces an RSA private key file that is a bad format. The embedded DSA parameter format is used in the private key structure body. In this form, the eight-bit group string contains two structures in ASN1 sequence: One sequence contains the key parameter, and one ASN1 integer contains the private key value.
-NSDB: This option produces an RSA private key file that is a bad format and is compatible with the Netscape private key file database. Use the Netscapedb DSA format.
-v2 ALG: Use Pkcs#5 v2.0, and specify the encryption algorithm, the default is the Pkcs#8 private key file is called b<pbewithmd5anddes-cbc> (the algorithm with 56 bytes of DES encryption but in pkcs#5 Encryption algorithms with stronger encryption algorithms in v1.5 are encrypted with passwords. With the b<-v2> option, PKCS#5 v2.0 related algorithms will be used, which can be Des3 (168 bytes) and RC2 (128 bytes), recommended Des3.
-V1 ALG: Uses pkcs#5 v1.5 or PKCS12, and specifies the encryption algorithm. The algorithm can be used see below.
-engine ID: Specifies the hardware engine.
Attention:
The encrypted PEM-encoded PKCS#8 file table is made with the following head and tail:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
Non-encrypted tables are only:
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Compared with the traditional Ssleay algorithm, the PKCS#5 v2.0 series algorithm is used to encrypt the private key, which has higher security and iterative times. So the added security is well thought out.
The default encryption algorithm is only 56 bytes, because it is the best method supported by Pkcs#8.
Some software uses pkcs#12 key-based encryption algorithms to encrypt private keys in the PKCS#8 format: they are processed automatically but have no options to operate.
In the pkcs#8 format, it is possible to output an encrypted private key file in DER encoded format, because the detailed description of the encryption is included in the DER Hierarchy, instead the traditional format is contained in the PEM Deng Lizheng.
Pkcs#5 v1.5 and PKCS#12 algorithms:
Various algorithms can be used by the option-V1. Contains Pkcs#5 v1.5 and pkcs#12 algorithms. Detailed descriptions are as follows:
B<pbe-md2-des Pbe-md5-des>: These two algorithms are included in the Pkcs#5 v1.5. They provide only 56 bytes of protection, and the encryption algorithm is DES.
b<pbe-sha1-rc2-64 pbe-md2-rc2-64 pbe-md5-rc2-64 pbe-sha1-des>: They are in the traditional pkcs#5 v1.5 are not mentioned, but they use the same key to elicit the algorithm, supported by some software. Mentioned in the Pkcs#5 v2.0. They use 64-byte RC2 and 56-byte des.
b<pbe-sha1-rc4-128 pbe-sha1-rc4-40 pbe-sha1-3des pbe-sha1-2des pbe-sha1-rc2-128 PBE-SHA1-RC2-40>: They are pkcs# 12 Key-based cryptographic algorithms that allow the use of high-strength cryptographic algorithms, such as 3DES or 128-bit RC2.
Instance:
Convert the traditional private key file to Pkcs#5 v2.0 using the 3DES algorithm:
[CPP] View plaincopy
OpenSSL pkcs8-in key.pem-topk8-v2 des3-out Enckey.pem

Convert the private key file to a PKCS8 file using the PKCS#5 1.5 compatible des algorithm:
[HTML] View plaincopy
OpenSSL pkcs8-in ocspserverkey.pem-topk8-out Ocspkcs8key.pem

Convert the private key file to a PKCS8 file using the PKCS#12 compatible 3DES algorithm:
[HTML] View plaincopy
OpenSSL pkcs8-in key.pem-topk8-out enckey.pem-v1 pbe-sha1-3des

Reads a private key in the PKCS#8 format that is encrypted in der Format:
[CPP] View plaincopy
OpenSSL pkcs8-inform der-nocrypt-in key.der-out Key.pem

Convert a private key in a pkcs#8 format to a traditional private key:
[CPP] View plaincopy
OpenSSL pkcs8-in pk8.pem-out Key.pem

The private key in the PKCS8 is stored in clear text:
[HTML] View plaincopy
OpenSSL pkcs8-in ocspserverkey.pem-topk8-nocrypt-out Ocspkcs8key.pem

Standard:
The implementation of the test vectors of the Pkcs#5 v2.0 is encrypted using the high-intensity iterative algorithm 3DES, DES, and RC2 in the form of advertisements. Many people want to confirm that they can decrypt the resulting private key.
The DSA private key file in the PKCS#8 format is not in the Memo file: section 11.9 in Pkcs#11 v2.01 is hidden. The default DSA pkcs#8 private key format for OpenSSL is hidden in this standard.
BUGs:
There must be an option to print other detailed details of the cryptographic algorithm used, such as the number of iterations.
Pkcs#8 with 3DES and Pkcs#5 v2.0 must be the default private key file: currently for command compatibility.

The "cryptographic algorithm" PFX file extracts the public key private key