pemtrans: Convert OpenSSL RSA private keys to Cryptlib keysets

By Abhijit Menon-Sen <>

pemtrans reads an OpenSSL RSA private key and the corresponding signed public key certificate, and writes a PKCS #15 keyset that Cryptlib can use. The included manual page explains how to use the program.

OpenSSL stores private keys in an undocumented PEM format (the key data is DER-encoded and the result is ASCII-armoured), which Cryptlib does not support.

Key usage

Cryptlib requires (and respects) the KEYUSAGE attribute on certificates. Some certificates do not contain this attribute, and pemtrans issues a warning when it encounters them, because Cryptlib will probably reject it when you try to use it for something, e.g. in a TLS server.

OpenSSL, by default, does not set KEYUSAGE. This can be fixed by adding a line like the following to openssl.cnf before generating the key and certificate (the attributes specified here are enough for the result to be used in a TLS server):

keyUsage = cRLSign, digitalSignature, keyEncipherment, keyCertSign


Download pemtrans.tar.gz (from

Use, modification, and distribution of pemtrans is allowed without any limitations. There is no warranty, express or implied.

Please send questions and comments to