Converting RSA XML key to PEM

Converting RSA XML key to PEM

Quite surprisingly it turned out out lately that I cannot find any utility that would help me convert a private RSA key in the XML format to the usual PEM format.

The XML format is mostly used for digitally signing XML documents according the the W3C recommendation, but Microsoft jumped on this format, too, and uses it in its .NET 1.1 platform. It is thus quite probable that, time-to-time, someone needs to convert this XML “beast” back to normal PEM format. But it seems that no suitable utility is to be found on the whole internet!

Luckily I came across the great little utility called PvkConvert, by Michel Gallant, which among other things does exactly that kind of conversion, unfortunately the other-way-round — from PEM to the XML format. But after being inspired by this, writing a small program that would do the right conversion turned into a piece of cake.


The XMLSec2PEM program converts a private or public RSA key from the XML format to the „traditional“ PEM format. The program tries to guess whether it is working with a private or a public key according to the input XML file structure.

Installation and running

You will need any decent version of Java JDK installed to compile and run the program. Grab the program and remove the .txt suffix. Compile it simply by:


And run it by:

java XMLSec2PEM <XML_keyfile>

Conversion to PKCS#8

If your freshly converted private key is not working, maybe you need a private key in the “full” PKCS#8 format. The utility returns the private keys only in the older “traditional” format, that allows no encryption for the keys, etc. If you need a full PKCS#8 format private key, use e.g. the openssl program with the -topk8 parameter:

openssl pkcs8 -topk8 -in key_rsa.pem -out key.pem


Suppose we have the following private key in the XML format, saved in the key.xml.txt file:


Run the utility and you will get the following output:

$ java XMLSec2PEM key.xml
Determining the key type: seems to be a private XML Security key
Checking the XML file structure: OK
Outputting the resulting key:


If you need the “full” PKCS#8 format, save the program output (only the lines between and including the BEGIN and END lines) into a file, say key.pem and convert it using openssl:

$ openssl pkcs8 -topk8 -in a.out.pem  -nocrypt


Note: this is one of the few blog entries that I consider still valuable and that thus survived the web revamp in August 2011. Other older entries ended up in the digital trash.

Heading image by

tags: security, java, en