Quite surprisingly it turned out out lately that I cannot find any utility that would help me convert a private RSA key in the XML format to the usual PEM format.
The XML format is mostly used for digitally signing XML documents according the the W3C recommendation, but Microsoft jumped on this format, too, and uses it in its .NET 1.1 platform. It is thus quite probable that, time-to-time, someone needs to convert this XML “beast” back to normal PEM format. But it seems that no suitable utility is to be found on the whole internet!
Luckily I came across the great little utility called PvkConvert, by Michel Gallant, which among other things does exactly that kind of conversion, unfortunately the other-way-round — from PEM to the XML format. But after being inspired by this, writing a small program that would do the right conversion turned into a piece of cake.
The XMLSec2PEM program converts a private or public RSA key from the XML format to the â€žtraditionalâ€œ PEM format. The program tries to guess whether it is working with a private or a public key according to the input XML file structure.
Installation and running
You will need any decent version of Java JDK installed to compile and run the program. Grab the program
.txt suffix. Compile it simply by:
And run it by:
java XMLSec2PEM <XML_keyfile>
Conversion to PKCS#8
If your freshly converted private key is not working, maybe you need a private key in the “full” PKCS#8 format. The utility returns the private keys only in the older “traditional” format, that allows no encryption for the keys, etc. If you need a full PKCS#8 format private key, use e.g. the openssl program with the
openssl pkcs8 -topk8 -in key_rsa.pem -out key.pem
Suppose we have the following private key in the XML format, saved in thefile:
<RSAKeyValue> <Modulus>wzZYQpFhIItfo5...3CZXgAyOc+w==</Modulus> <Exponent>AQAB</Exponent> <P>+hhxh9KjXvS...vWL47IlE=</P> <Q>x9IxFrOIpj...z3eGi4s=</Q> <DP>Dp2bFOr0...26/SWOE=</DP> <DQ>oAKxTHx3...zMbn+Tq9gw==</DQ> <InverseQ>RapfQxpRbPa...q80Vcl9Pc=</InverseQ> <D>A9q412ejcU8PL...WJ1xnKcUWzwQ==</D> </RSAKeyValue>
Run the utility and you will get the following output:
$ java XMLSec2PEM key.xml Determining the key type: seems to be a private XML Security key Checking the XML file structure: OK Outputting the resulting key: -----BEGIN PRIVATE KEY----- MIIBTwIBADANBgkqh... ... ...dDVavNFXJfT3 -----END PRIVATE KEY-----
If you need the “full” PKCS#8 format, save the program output (only the lines between and including the BEGIN and END lines) into a file, say
key.pem and convert it using openssl:
$ openssl pkcs8 -topk8 -in a.out.pem -nocrypt -----BEGIN PRIVATE KEY----- MIIBUwIBADANBgkqhkiG9w0BAQEFAASCAT0wggE5AgEAAkEAwzZYQpFhIItfo5Z9 Ns7HHYWzqRel/OUK2XGyv8qBoZBWxd3DOiPbczbwDtOZDy8c0NejmEcbmk+3CZXg AyOc+wIDAQABAkAD2rjXZ6NxTw8uXbRPNrn7vT4U4qCmY6dZL8OFwevZUsVhpsNM wmH62l/5Le4zd66atsRohK1+hYnXGcpxRbPBAiEA+hhxh9KjXvS6x1SyB6C2QHrI gVyxWmmIVJdvWL47IlECIQDH0jEWs4imMNzvcViwab9GsZVwt5x6hgoufILPd4aL iwIgDp2bFOr0bTo0KC4E8Xks7Xu/d//oxXXhZ8Ap26/SWOECIACgArFMfHfwnTBO jXV3zzZcZdhFasLjWnLMxuf5Or2DAiBFql9DGlFs9o3f/06UNlFAbQcERTnv13Q1 WrzRVyX09w== -----END PRIVATE KEY-----
Note: this is one of the few blog entries that I consider still valuable and that thus survived the web revamp in August 2011. Other older entries ended up in the digital trash.
Heading image by Thinkgeek.com