5

Correct me if I am wrong, but PKCS8 is format to store private key info. It could be binary-enoded (DER) or Base64 encoded (PEM).

man ssh-config

-m key_format
             Specify a key format for the -i (import) or -e (export) conver‐
             sion options.  The supported key formats are: “RFC4716” (RFC
             4716/SSH2 public or private key), “PKCS8” (PEM PKCS8 public
             key) or “PEM” (PEM public key).  The default conversion format
             is “RFC4716”.

I am confused with "PKCS8 Public Key" (while RFC-5208 is "Private-Key Information Syntax Specification Version") but I also can't understand what is "PEM public key" here? PKCS8 could be PEM or DER. What does it mean?

user996142
  • 191
  • 1
  • 1
  • 4

1 Answers1

4

Oh, I have found an answer. PEM here is PKCS#1 (RSA) key. Not sure why ssh-keygen used this terminology. And PKCS#8 could be used for Public keys as well since RFC-5958 which obsoletes RFC-5208. A very good article is https://tls.mbed.org/kb/cryptography/asn1-key-structures-in-der-and-pem and this question is also good: https://stackoverflow.com/questions/20065304/what-is-the-differences-between-begin-rsa-private-key-and-begin-private-key

Here is PKCS#1(RSA):

[foo@bar ~]$ ssh-keygen -f .ssh/authorized_keys -e -m PEM
-----BEGIN RSA PUBLIC KEY-----
MIIBCgKCAQEApPGAMzobORnBJdPD0VvBif0cBkRC1KgTi4rDmscp+4F8Ke6nE/jE
.....
rf/DnkvPoJPiRLBnyjmyWsQ0dWHnRbSZSwIDAQAB
-----END RSA PUBLIC KEY-----

And here is PKCS#8

[foo@bar ~]$ ssh-keygen -f .ssh/authorized_keys -e -m PKCS8
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEApPGAMzobORnBJdPD0VvB
...
yk/avnG/lceGqChXgjxcHEKQRJYZRTnqrf/DnkvPoJPiRLBnyjmyWsQ0dWHnRbSZ
SwIDAQAB
-----END PUBLIC KEY-----
Community
  • 1
user996142
  • 191
  • 1
  • 1
  • 4