The Private Key must be of type PKCS1 or PKCS8 in PEM format.

PKCS8 support was added in release 2.3.1

The easiest way to determine what type you have is to look at the certificate headers.

Example of a PKCS1 private key in PEM format

-----BEGIN RSA PRIVATE KEY-----
<YOUR PRIVATE KEY CONTENT>
-----END RSA PRIVATE KEY-----

Example of a PKCS8 (unencrypted) private key in PEM format

-----BEGIN PRIVATE KEY-----
<YOUR PRIVATE KEY CONTENT>
-----END PRIVATE KEY-----

Example of a PKCS8 (encrypted) private key in PEM format

-----BEGIN ENCRYPTED PRIVATE KEY-----
<YOUR PRIVATE KEY CONTENT>
-----END ENCRYPTED PRIVATE KEY-----
Encrypted private keys are not supported



To convert an unencrypted private key from PKCS8 to PKCS1 use the openssl command below:

openssl rsa -in xxxxx-private-no-rsa.pem.key -out xxxxx-private-converted.pem.key

OpenSSL 3+ does not support PKCS1 by default and you will need use -traditional on the openssl rsa command.

openssl rsa -in xxxxx-private-no-rsa.pem.key -traditional -out xxxxx-private-converted.pem.key
  • No labels

New to MQTT? Start Here!