Skip to content

feat: support --private-key with a PKCS#8 keypair #2653

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Sep 22, 2025
Merged

feat: support --private-key with a PKCS#8 keypair #2653

merged 3 commits into from
Sep 22, 2025

Conversation

@phlip9
Copy link
Contributor

@phlip9 phlip9 commented Sep 22, 2025

By delegating to the existing certcrypto.ParsePEMPrivateKey impl, we can additionally support user-generated keypairs that are PKCS#8 encoded (vs today only SEC1 for ECDSA or PKCS#1 for RSA). For example, openssl genpkey will use this format. PKCS#8 PEM blocks use -----BEGIN PRIVATE KEY----- instead of -----BEGIN EC PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----.

I tested this out manually, renewing an existing cert with a SEC1 keypair and generating a new one with an openssl-generate PKCS#8 keypair:

$ openssl genpkey -algorithm EC -pkeyopt ec_paramgen_curve:P-256 -out test.key.pem
$ lego -d 'example.com' run --private-key 'test.key.pem`

Another location (generating a .pfx file) also tried to manually parse PEM private keys, so I took the liberty of switching that over to certcrypto.ParsePEMPrivateKey as well.

@phlip9
cmd: support --private-key with a PKCS#8 keypair
4ca34e5 
By delegating to the existing `certcrypto.ParsePEMPrivateKey` impl,
we can additionally support user-generated keypairs that are PKCS#8
encoded (vs just SEC1 for ECDSA or PKCS#1 for RSA). For example,
`openssl genpkey` will use this format.
@phlip9
cmd: use certcrypto.ParsePEMPrivateKey consistently
99a1dc9
@phlip9 phlip9 changed the title Cli pkcs8 private key cmd: support --private-key with a PKCS#8 keypair Sep 22, 2025
@ldez ldez changed the title cmd: support --private-key with a PKCS#8 keypair feat: support --private-key with a PKCS#8 keypair Sep 22, 2025
@ldez ldez self-requested a review September 22, 2025 19:40
@ldez ldez added this to the unreleased milestone Sep 22, 2025
ldez
ldez approved these changes Sep 22, 2025
View reviewed changes
Copy link
Member

@ldez ldez left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@ldez ldez merged commit ba156d5 into go-acme:master Sep 22, 2025
7 checks passed
@phlip9 phlip9 deleted the cli-pkcs8-private-key branch September 23, 2025 18:30
@ldez ldez modified the milestones: unreleased, v4.27 Oct 17, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ldez ldez ldez approved these changes

Assignees

No one assigned

Labels

area/cli enhancement

Milestone

v4.27

Development

Successfully merging this pull request may close these issues.

2 participants

@phlip9 @ldez