Use PKCS #8 by default for private keys

maraino commented 3 years ago

Add option to save a private key using PKCS #8

Description

Some frameworks do not support PKCS #1 OR SEC1 EC formats for the private key and require the use of PKCS #8. See https://github.com/smallstep/autocert/issues/17#issuecomment-725966689

~~We should add the flag --pkcs8 or --format pkcs8 to at least the following commands:~~

~~step ca certificate~~
~~step ca sign~~
~~step ca renew~~

Autocert should also support this option.

Currently we can transform a PKCS #1 or SEC1 EC key to PKCS #8 using:

step crypto key format --pkcs8 --pem --no-password --insecure --out site.pkcs8.pem site.pem

Update

We should default to store private keys, specially the encrypted ones using PKCS#8 and perhaps add a way to use PKCS #1 / SEC1 EC on step ca commands.

dopey commented 3 years ago

--key-format

maraino commented 3 years ago

Consider to use PKCS#8 by default, DecryptPEMBlock and EncryptPEMBlock have been deprecated, see https://golang.org/pkg/crypto/x509/#DecryptPEMBlock

peteroneilljr commented 1 year ago

Any updates on this one? We're using Azure which requires pkcs8 to import to key vault, so this would be nice.

maraino commented 1 year ago

@peteroneilljr not done yet, but you can convert to pkcs#8 using:

step crypto key format --pem --pkcs8 my.key > my.p8

If you don't want a password protected key, you must use --no-password --insecure

smallstep / cli