1. TL;DR
# -----BEGIN CERTIFICATE-----开头的是证书。# -----BEGIN RSA PRIVATE KEY-----开头是遵循的PKCS#1规范,其内容只是一个RSA私钥。它本质上只是来自PKCS#8的关键对象,但前面没有版本或算法标识符。# -----BEGIN PRIVATE KEY-----开头遵循的是PKCS#8规范,并指示密钥类型包含在密钥数据本身中。
2. 更详细
下面内容摘自参考资料,供有需要的人参考。
2.1 RSA Public Key File (PKCS#1)
The RSA Public key PEM file is specific for RSA keys.
It starts and ends with the tags:
1-----BEGIN RSA PUBLIC KEY-----
2BASE64 ENCODED DATA
3-----END RSA PUBLIC KEY-----
Within the base64 encoded data the following DER structure is present:
1RSAPublicKey ::= SEQUENCE {
2 modulus INTEGER, -- n
3 publicExponent INTEGER -- e
4}
2.2 RSA Private Key File (PKCS#1)
The RSA private key PEM file is specific for RSA keys.
It starts and ends with the tags:
1-----BEGIN RSA PRIVATE KEY-----
2BASE64 ENCODED DATA
3-----END RSA PRIVATE KEY-----
Within the base64 encoded data the following DER structure is present:
1RSAPrivateKey ::= SEQUENCE {
2 version Version,
3 modulus INTEGER, -- n
4 publicExponent INTEGER, -- e
5 privateExponent INTEGER, -- d
6 prime1 INTEGER, -- p
7 prime2 INTEGER, -- q
8 exponent1 INTEGER, -- d mod (p-1)
9 exponent2 INTEGER, -- d mod (q-1)
10 coefficient INTEGER, -- (inverse of q) mod p
11 otherPrimeInfos OtherPrimeInfos OPTIONAL
12}
2.3 Public Key File (PKCS#8)
Because RSA is not used exclusively inside X509 and SSL/TLS, a more generic key format is available in the form of PKCS#8, that identifies the type of public key and contains the relevant data.
It starts and ends with the tags:
1-----BEGIN PUBLIC KEY-----
2BASE64 ENCODED DATA
3-----END PUBLIC KEY-----
Within the base64 encoded data the following DER structure is present:
1PublicKeyInfo ::= SEQUENCE {
2 algorithm AlgorithmIdentifier,
3 PublicKey BIT STRING
4}
5
6AlgorithmIdentifier ::= SEQUENCE {
7 algorithm OBJECT IDENTIFIER,
8 parameters ANY DEFINED BY algorithm OPTIONAL
9}
So for an RSA public key, the OID is 1.2.840.113549.1.1.1 and there is a RSAPublicKey as the PublicKey key data bitstring.
2.4 Private Key File (PKCS#8)
Because RSA is not used exclusively inside X509 and SSL/TLS, a more generic key format is available in the form of PKCS#8, that identifies the type of private key and contains the relevant data.
The unencrypted PKCS#8 encoded data starts and ends with the tags:
1-----BEGIN PRIVATE KEY-----
2BASE64 ENCODED DATA
3-----END PRIVATE KEY-----
Within the base64 encoded data the following DER structure is present:
1PrivateKeyInfo ::= SEQUENCE {
2 version Version,
3 algorithm AlgorithmIdentifier,
4 PrivateKey OCTET STRING
5}
6
7AlgorithmIdentifier ::= SEQUENCE {
8 algorithm OBJECT IDENTIFIER,
9 parameters ANY DEFINED BY algorithm OPTIONAL
10}
So for an RSA private key, the OID is 1.2.840.113549.1.1.1 and there is a RSAPrivateKey as the PrivateKey key data octet string.
The encrypted PKCS#8 encoded data start and ends with the tags:
1-----BEGIN ENCRYPTED PRIVATE KEY-----
2BASE64 ENCODED DATA
3-----END ENCRYPTED PRIVATE KEY-----
Within the base64 encoded data the following DER structure is present:
1EncryptedPrivateKeyInfo ::= SEQUENCE {
2 encryptionAlgorithm EncryptionAlgorithmIdentifier,
3 encryptedData EncryptedData
4}
5
6EncryptionAlgorithmIdentifier ::= AlgorithmIdentifier
7
8EncryptedData ::= OCTET STRING
9The EncryptedData OCTET STRING is a PKCS#8 PrivateKeyInfo (see above).