Using the library to encrypt a RSA private key compatible with Web Crypto API (PBKDF2)

Claude Robitaille claude-robitaille at
Wed Jul 22 20:36:30 UTC 2020

This is NOT about using the command line utility, it is about using the library in a program and exporting a private key, while encrypting it.

But first; I successfully tested the resulting key using the command-line and parameters iter 64000, hmacWithSHA512 and aes256. So I know for sure (at least I think so) that openssl 1.1.1 (I am using 1.1.1d as the development library) generates something compatible with the Web Crypt API importKey function (the parameters are the same as default in openCrypto, which is a wrapper around Web Crypto API).

Now, for my application. I am not sure how to do this. I normally use PEM_write_bio_PKCS8PrivateKey to generate a PEM string. That function do accept a passphrase and a cipher but it is not possible to set parameters. The default values, as I could gather by reading on the Internet are weak so I just do not want to lower the Web Crypto API end. How to proceed? Is there another function that can be used?

How does the command line utility do?

I looked at the EVP_KDF but soon realized it was not 1.1.1 but only in the new 3.0 beta stuff, which I prefer not to use now.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list