// identify and convert private key formats in-browser
Convert private keys between PEM, PKCS#8, and OpenSSH formats instantly in your browser. Auto-detects key type. No upload, 100% client-side and private.
Ready to convert
Paste a private key and choose a target formatPaste any private key in PEM, PKCS#8, or OpenSSH format into the input field.
Hit "Detect Format" to auto-identify your key, or choose the target format directly.
Click "Convert Key" and copy the result — ready for your server, script, or config.
Private keys come in several incompatible PEM-based formats. PKCS#1 (the classic RSA PRIVATE KEY) is RSA-specific. PKCS#8 (PRIVATE KEY) is the modern, algorithm-agnostic standard. OpenSSH uses its own custom binary format for SSH keys. This tool converts between all three entirely in your browser using the Web Crypto API — no server contact, no data leakage.
Yes. All conversion logic runs entirely in your browser using JavaScript and the Web Crypto API. No data is ever sent to a server — you can disconnect from the internet and the tool will still work. However, as always with private keys, exercise standard caution: only use trusted environments and devices.
PKCS#1 (-----BEGIN RSA PRIVATE KEY-----) is an older format specific to RSA keys. PKCS#8 (-----BEGIN PRIVATE KEY-----) is the modern, algorithm-agnostic standard recommended for new applications and supports RSA, EC, and other key types in a single unified format.
OpenSSH uses its own custom format (-----BEGIN OPENSSH PRIVATE KEY-----) that encodes keys as a binary blob in base64. It is the default format generated by ssh-keygen since OpenSSH 7.8 and is required for Ed25519 and ECDSA keys used with modern SSH clients.
Currently this tool handles unencrypted private keys. Encrypted keys (those requiring a passphrase) are not yet supported. To strip the passphrase before converting, use openssl rsa -in encrypted.pem -out unencrypted.pem on your local machine first.
The tool supports RSA keys (PKCS#1 and PKCS#8), EC (Elliptic Curve) keys using standard NIST curves (P-256, P-384, P-521), and Ed25519 keys via OpenSSH format. DSA keys are not supported due to deprecation in modern cryptographic standards.
This may happen if the key is encrypted with a passphrase, contains non-standard line endings, has been partially truncated, or is in an unsupported format like DSA or legacy PKCS#5. Check that you have copied the entire key including the header and footer lines.
The detector reads the PEM header line (e.g., BEGIN RSA PRIVATE KEY) to identify the format and key algorithm. For OpenSSH keys it also inspects the binary payload prefix. The detected algorithm and format are shown in the detection badge above the tool.
This tool focuses on private key formats. For public key conversion between SSH authorized_keys format and PEM SPKI format, see our PEM Inspector or SSH Public Key Parser tools. Public keys have different header markers and are handled separately.
Private cryptographic keys are the foundation of secure communications, code signing, and authentication in modern computing. Yet despite their critical importance, private keys come in several incompatible formats that can cause significant friction when working across different tools, servers, and platforms. This free browser-based tool solves that problem by converting private keys between the three most common formats — PKCS#1 PEM, PKCS#8 PEM, and OpenSSH — entirely in your browser.
💡 Looking for web development assets to accelerate your projects? MonsterONE offers unlimited downloads of templates, UI kits, and developer tools — worth checking out.
The diversity of private key formats stems from the evolution of cryptographic standards over several decades. Each format was designed with different goals: PKCS#1 optimized for RSA efficiency, PKCS#8 for algorithm agnosticism, and OpenSSH for compatibility with the SSH ecosystem. Understanding these differences is essential for any developer working with TLS certificates, SSH authentication, JWT signing, or code signing.
PKCS#1 (Public-Key Cryptography Standards #1) is the original RSA key format, standardized by RSA Security in the early 1990s. A PKCS#1 private key file begins with -----BEGIN RSA PRIVATE KEY----- and contains the full RSA private key parameters encoded in DER (Distinguished Encoding Rules) format, then base64-encoded. For EC keys, the equivalent is -----BEGIN EC PRIVATE KEY-----.
PKCS#1 keys are algorithm-specific — an RSA PKCS#1 key is explicitly RSA, an EC PKCS#1 key is explicitly EC. This explicitness was once an advantage but becomes limiting when building systems that need to handle multiple key types uniformly. Many legacy systems and older OpenSSL versions default to PKCS#1 for RSA keys.
PKCS#8 is the modern, recommended format for private keys. A PKCS#8 file begins with -----BEGIN PRIVATE KEY----- (unencrypted) or -----BEGIN ENCRYPTED PRIVATE KEY----- (passphrase-protected). The format wraps the key material in an algorithm-agnostic envelope that includes an AlgorithmIdentifier field, making it suitable for RSA, EC, Ed25519, and future algorithm types.
Modern tools, libraries, and standards strongly prefer PKCS#8. Java's KeyFactory, Node.js's crypto module, Go's x509 package, and Python's cryptography library all accept PKCS#8 as their primary format. When in doubt, converting to PKCS#8 is almost always the right move for interoperability.
Since OpenSSH 7.8 (released in 2018), ssh-keygen generates keys in a custom binary format wrapped in -----BEGIN OPENSSH PRIVATE KEY----- / -----END OPENSSH PRIVATE KEY----- headers. This format supports all OpenSSH key types including Ed25519 (which has no PKCS#1 equivalent), ECDSA, and RSA, and includes optional bcrypt-based passphrase encryption.
The OpenSSH format is required by modern SSH clients and is the default for any key generated with recent versions of OpenSSH. However, some older tools, Java SSH libraries, and non-OpenSSH implementations may require conversion to PKCS#8 or PKCS#1 first.
Private keys are highly sensitive credentials. When converting keys, always prioritize tools that process data client-side — this tool never transmits your key to any server. Additional best practices include: using passphrase protection for stored keys, restricting file permissions (chmod 600), avoiding pasting keys into chat applications or emails, and using hardware security modules (HSMs) for production environments.
This tool uses the Web Crypto API built into modern browsers for all cryptographic operations. The Web Crypto API is implemented in the browser's secure execution environment and is isolated from network access during key processing.
For environments where browser tools are not appropriate, OpenSSL provides equivalent functionality. To convert PKCS#1 to PKCS#8: openssl pkcs8 -topk8 -nocrypt -in pkcs1.pem -out pkcs8.pem. To convert PKCS#8 to PKCS#1: openssl rsa -in pkcs8.pem -out pkcs1.pem. For OpenSSH format generation: ssh-keygen -p -m PEM -f id_rsa. This browser tool provides the same conversions without requiring OpenSSL installation.