PKCS#8/PKCS#1 Key Converter

Convert private keys between PKCS#8 and PKCS#1 (traditional) formats

By Anish Nath
PKCS#8 ↔ PKCS#1 RSA Keys EC Keys DSA Keys
Convert Key
Private Key (PEM)
Supports RSA, DSA, and EC keys in PKCS#1 or PKCS#8 format
Password (Optional)
Only required if the private key is encrypted
Converted Key

Your converted key will appear here

Paste a key and click Convert
OpenSSL Key Conversion Commands
PKCS#1 to PKCS#8 (RSA)
# Convert traditional RSA key to PKCS#8 format
$ openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt \
-in private.pem -out private_pkcs8.pem
PKCS#8 to PKCS#1 (RSA)
# Convert PKCS#8 to traditional RSA format
$ openssl rsa -in private_pkcs8.pem -out private_pkcs1.pem
EC Key to PKCS#8
# Convert EC private key to PKCS#8 format
$ openssl pkcs8 -topk8 -nocrypt -in ec_private.pem -out ec_pkcs8.pem
Decrypt Encrypted PKCS#8 Key
# Decrypt an encrypted PKCS#8 private key
$ openssl pkcs8 -in encrypted.pem -out decrypted.pem
Encrypt PKCS#8 Key with AES-256
# Convert to encrypted PKCS#8 with AES-256-CBC
$ openssl pkcs8 -topk8 -v2 aes-256-cbc -in private.pem -out encrypted_pkcs8.pem
Related Key Tools
PEM Parser

Decode and analyze PEM certificates and keys
Extract Public Key

Extract public key from private key
RSA Key Generator

Generate RSA key pairs online

Support This Free Tool

Every coffee helps keep the servers running. Every book sale funds the next tool I'm dreaming up. You're not just supporting a site — you're helping me build what developers actually need.

500K+ users
200+ tools
100% private
One-time support Buy me a coffee 📚 Learn & support 9-Book Bundle - $9 Stay updated Follow @anish2good
Privacy Guarantee: Private keys you enter or generate are never stored on our servers. All tools are served over HTTPS.
Understanding Key Formats
PKCS#1 vs PKCS#8: What's the Difference?

Both PKCS#1 and PKCS#8 are standards for storing private keys, but they serve different purposes:

PKCS#1 Traditional Format
  • RSA-specific format (RSA Cryptography Standard)
  • Header: BEGIN RSA PRIVATE KEY
  • Contains only RSA key parameters
  • Simpler structure, no algorithm OID
  • Commonly used by older applications
PKCS#8 Generic Format
  • Algorithm-agnostic (works with RSA, EC, DSA, etc.)
  • Header: BEGIN PRIVATE KEY
  • Includes algorithm identifier (OID)
  • Supports encryption (PKCS#5/PBES2)
  • Recommended modern format
PEM Headers by Key Type
Key Type Traditional Format PKCS#8 Format
RSA BEGIN RSA PRIVATE KEY BEGIN PRIVATE KEY
EC (Elliptic Curve) BEGIN EC PRIVATE KEY BEGIN PRIVATE KEY
DSA BEGIN DSA PRIVATE KEY BEGIN PRIVATE KEY
Encrypted (any) BEGIN ENCRYPTED PRIVATE KEY BEGIN ENCRYPTED PRIVATE KEY
When to Use Which Format?
Use PKCS#8 when:
  • Working with modern applications (Java, .NET)
  • Need algorithm-independent key storage
  • Want to encrypt the private key
  • Using non-RSA algorithms (EC, EdDSA)
Use PKCS#1 when:
  • Legacy application compatibility required
  • Working with older OpenSSL versions
  • Specific tool requires traditional format
  • RSA-only environment
Tip: When in doubt, use PKCS#8. It's the more modern and versatile format that works with all key types and most modern cryptographic libraries.
Quick Access