Scroll to navigation

PKCS1-CONV(1) Nettle tools PKCS1-CONV(1)


pkcs1-conv - convert keys from PKCS#1 format to s-expression format


pkcs1-conv [{--private-rsa-key|--public-rsa-key|--public-key-info} [--base-64]] < FILE


This manual page documents briefly the pkcs1-conv command. This manual page was written for the Debian GNU/Linux distribution because the original program does not have a manual page.

pkcs1-conv converts private and public RSA keys from PKCS #1 format to sexp format.


This program follows the usual GNU command line syntax, with long options starting with two dashes (`-').

By default pkcs1-conv expects a PEM-encapsulated RSA key on standard input, and will determine its type from the Pre-Encapsulation Boundary. To convert a DER-encoded (non PEM-encoded) key, one of the first three options below must be used:

Specify that a DER-encoded RSAPrivateKey, as defined by PKCS #1 (RFC 3447), and described in section A.1.2 of its appendix A, is to be expected as input.
Specify that a DER-encoded RSAPublicKey, as defined by PKCS #1 (RFC 3447), and described in section A.1.1 of its appendix A, is to be expected as input.
Specify that a DER-encoded SubjectPublicKeyInfo, as defined by PKCS #6, and described in section A.1 of its appendix A, encapsulating an RSAPublicKey, is to be expected as input.
Together with --private-rsa-key, --public-rsa-key, or --public-key-info, specify that base64 encoding is applied on top of the DER encoding.
-?, --help
Show summary of options (not implemented).
Show version of program.


pkcs1-conv will complain and exit with a status of 1 if the input doesn't match expectations. In PEM mode (when no option is used), if no PEM block is found, pkcs1-conv will output nothing but exit with a zero status.


$ openssl genrsa -out privkey.pem
$ pkcs1-conv < privkey.pem > privkey.sexp
$ openssl rsa -in privkey.pem -outform DER -out privkey.der
$ openssl rsa -in privkey.pem -outform DER -pubout -out pubkey.der
$ pkcs1-conv --rsa-private-key < privkey.der > privkey.sexp
$ pkcs1-conv --public-key-info < pubkey.der > pubkey.sexp


ssh-conv(1), sexp-conv(1), rsa(1SSL), genrsa(1SSL), RFC 3447.


This manual page was written by Magnus Holmgren <> for the Debian GNU/Linux system (but may be used by others).


Copyright © 2007 Magnus Holmgren.

Copying and distribution of this file, with or without modification, are permitted in any medium without royalty provided the copyright notice and this notice are preserved.

June 2007 nettle 1.15