-help

Print out a usage message.

-topk8

Normally a PKCS#8 private key is expected on input and a private key will be written to the output file.With the -topk8 option the situation is reversed: it reads a private key and writes a PKCS#8 format key.

-inform

This specifies the input format: see "KEY FORMATS" for more details.

-outform

This specifies the output format: see "KEY FORMATS" for more details.

-traditional

When this option is present and -topk8 is not a traditional format private key is written.

-in

This specifies the input filename to read a key from or standard input if this option is not specified. Ifthe key is encrypted a pass phrase will be prompted for.

-passin

the input file password source. For more information about the format of arg see the PASS PHRASE ARGUMENTSsection in openssl(1).

-out

This specifies the output filename to write a key to or standard output by default. If any encryptionoptions are set then a pass phrase will be prompted for. The output filename should not be the same as theinput filename.

-passout

the output file password source. For more information about the format of arg see the PASS PHRASEARGUMENTS section in openssl(1).

-iter

When creating new PKCS#8 containers, use a given number of iterations on the password in deriving theencryption key for the PKCS#8 output. High values increase the time required to brute-force a PKCS#8container.

-nocrypt

PKCS#8 keys generated or input are normally PKCS#8 EncryptedPrivateKeyInfo structures using an appropriatepassword based encryption algorithm. With this option an unencrypted PrivateKeyInfo structure is expectedor output. This option does not encrypt private keys at all and should only be used when absolutelynecessary. Certain software such as some versions of Java code signing software used unencrypted privatekeys.

-v2

This option sets the PKCS#5 v2.0 algorithm.The alg argument is the encryption algorithm to use, valid values include aes128, aes256 and des3. If thisoption isn't specified then aes256 is used.

-v2prf

This option sets the PRF algorithm to use with PKCS#5 v2.0. A typical value value would be hmacWithSHA256.If this option isn't set then the default for the cipher is used or hmacWithSHA256 if there is no default.Some implementations may not support custom PRF algorithms and may require the hmacWithSHA1 option towork.

-v1

This option indicates a PKCS#5 v1.5 or PKCS#12 algorithm should be used. Some older implementations maynot support PKCS#5 v2.0 and may require this option. If not specified PKCS#5 v2.0 form is used.

-engine

specifying an engine (by its unique id string) will cause pkcs8 to attempt to obtain a functionalreference to the specified engine, thus initialising it if needed. The engine will then be set as thedefault for all available algorithms.

-scrypt

uses the scrypt algorithm for private key encryption using default parameters: currently N=16384, r=8 andp=1 and AES in CBC mode with a 256 bit key. These parameters can be modified using the -scrypt_N,

-scrypt_r

-scrypt_p and -v2 options.

-scrypt_N

sets the scrypt N, r or p parameters.KEY FORMATSVarious different formats are used by the pkcs8 utility. These are detailed below.If a key is being converted from PKCS#8 form (i.e. the -topk8 option is not used) then the input file must bein PKCS#8 format. An encrypted key is expected unless -nocrypt is included.If -topk8 is not used and PEM mode is set the output file will be an unencrypted private key in PKCS#8 format.If the -traditional option is used then a traditional format private key is written instead.If -topk8 is not used and DER mode is set the output file will be an unencrypted private key in traditionalDER format.If -topk8 is used then any supported private key can be used for the input file in a format specified by

-inform.

The output file will be encrypted PKCS#8 format using the specified encryption parameters unless