How do you generate a certificate with a RSA key instead of a regular key?

id flag

I am trying to see how the certificate was made, I have a key file called a bundle file called and a key file called and I have no way of generating the same type of certificate as the old one, because the key in the start is a RSA key.

I have:


The old certificate has:


mfinni avatar
cn flag
Please oh please tell us something about your environment. What OS are you running on, so we can give advice using the tools you have, plus what you use the certificate for.
id flag
I am on Windows, but I have WSL2 installed.
mfinni avatar
cn flag
Cool, what about the other question I asked? Also, you'd be wise to edit your question with that info so that people will easily read it, rather than having to thread through our banter here in the comments.
jp flag

A PEM-block with type PRIVATE KEY contains a key in PKCS8 format (and more specifically PKCS8-unencrypted) which can be for any algorithm including RSA; to see which, do

openssl pkey -in pkcs8file -noout -text

If it is RSA, you can convert to PEM type RSA PRIVATE KEY, which contains the OpenSSL 'traditional' format, i.e. per-algorithm and not PKCS8, and more specifically defined by PKCS1, with

openssl rsa -in pkcs8file -out tradfile 
# or in 1.1.0 up 
openssl pkey -in pkcs8file -out tradfile -traditional 

On all of these you can omit -in file or -out file to use stdin or stdout respectively, which can be redirected or piped as supported by your OS (or for WSL, simulated OS) and shell. You can encrypt the traditional-format file by also specifying a (symmetric or PBE) cipher, but since you didn't encrypt the PKCS8-format file I don't know why you'd want to.

Conversely, you can convert a traditional-format key (RSA as you have, or other) to PKCS8 format using

openssl pkey -in tradfile -out pkcs8file
# default unencrypted but you can add a cipher to encrypt
# or
openssl pkcs8 -topk8 -in tradfile -out pkcs8file 
# default encrypted but add -nocrypt for unencrypted

Again you can use stdin/stdout and redirect or pipe.

However, you claim you have a 'key file called'. That is very unlikely. While the extension (if any!) of a filename does not actually control the contents, it is usually chosen (if present) to reflect the contents, and if that file was not named by a lunatic or sadist it most likely contains a certificate, not a key. Certificates (of the type relevant here, mostly X.509 or PKIX) can be used to distribute and manage public keys in a public-key system, particularly a public-key infrastructure or PKI which is the type of public-key system we use throughout the world for most things, but a certificate is not a key and a key is not a certificate, just as a car is not a steering wheel and a steering wheel is not a car.

mfinni avatar
cn flag
This is ServerFault, not StackOverflow, it's definitely a valid sysadmin-related question.

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.