0

I am trying to see how the certificate was made, I have a key file called site.com.crt a bundle file called site.com.bundle and a key file called site.com.key and I have no way of generating the same type of certificate as the old one, because the key in the start is a RSA key.

I have:

-----BEGIN PRIVATE KEY-----

The old certificate has:

-----BEGIN RSA PRIVATE KEY-----

Sayaman
  • 187
  • 1
  • 11
  • 1
    Please oh please tell us something about your environment. What OS are you running on, so we can give advice using the tools you have, plus what you use the certificate for. – mfinni Jan 26 '22 at 21:55
  • I am on Windows, but I have WSL2 installed. – Sayaman Jan 26 '22 at 21:59
  • Cool, what about the other question I asked? Also, you'd be wise to edit your question with that info so that people will easily read it, rather than having to thread through our banter here in the comments. – mfinni Jan 26 '22 at 23:35

1 Answers1

2

A PEM-block with type PRIVATE KEY contains a key in PKCS8 format (and more specifically PKCS8-unencrypted) which can be for any algorithm including RSA; to see which, do

openssl pkey -in pkcs8file -noout -text

If it is RSA, you can convert to PEM type RSA PRIVATE KEY, which contains the OpenSSL 'traditional' format, i.e. per-algorithm and not PKCS8, and more specifically defined by PKCS1, with

openssl rsa -in pkcs8file -out tradfile 
# or in 1.1.0 up 
openssl pkey -in pkcs8file -out tradfile -traditional

On all of these you can omit -in file or -out file to use stdin or stdout respectively, which can be redirected or piped as supported by your OS (or for WSL, simulated OS) and shell. You can encrypt the traditional-format file by also specifying a (symmetric or PBE) cipher, but since you didn't encrypt the PKCS8-format file I don't know why you'd want to.

Conversely, you can convert a traditional-format key (RSA as you have, or other) to PKCS8 format using

openssl pkey -in tradfile -out pkcs8file
# default unencrypted but you can add a cipher to encrypt
# or
openssl pkcs8 -topk8 -in tradfile -out pkcs8file 
# default encrypted but add -nocrypt for unencrypted

Again you can use stdin/stdout and redirect or pipe.

However, you claim you have a 'key file called site.com.crt'. That is very unlikely. While the extension (if any!) of a filename does not actually control the contents, it is usually chosen (if present) to reflect the contents, and if that file was not named by a lunatic or sadist it most likely contains a certificate, not a key. Certificates (of the type relevant here, mostly X.509 or PKIX) can be used to distribute and manage public keys in a public-key system, particularly a public-key infrastructure or PKI which is the type of public-key system we use throughout the world for most things, but a certificate is not a key and a key is not a certificate, just as a car is not a steering wheel and a steering wheel is not a car.

dave_thompson_085
  • 3,262
  • 1
  • 16
  • 16
  • This is ServerFault, not StackOverflow, it's definitely a valid sysadmin-related question. – mfinni Jan 28 '22 at 22:05
  • @mfinni: ayup -- I must have been looking at another tab when I started thinking about the answer. _And_ I made some typos, which your reminder allowed me to fix -- bad day all around! – dave_thompson_085 Jan 31 '22 at 21:33