CryptoSys Home > PKI > Using an RSA private key in a PEM string to sign data with CryptoSys PKI

Using an RSA private key in a PEM string to sign data with CryptoSys PKI

This page gives code samples showing how to pass an RSA key as a string instead of using a filename when using CryptoSys PKI.

Question. When signing with RSA I want to avoid having to use my key file and work directly in memory. How do I do that?

Answer. Pass the RSA key as a PEM string. This page gives some code showing how to do that.

Getting the PEM string from an RSA key file

We need to do a one-off operation to save your existing key in PEM format, then you can use a normal text editor to edit the key for your subsequent code.

VBA/VB6

' Requires both `basCrPKIWrappers.bas` and `basCrPKI.bas` in the project

''' How to save an existing private key in PEM format
Public Sub SaveRsaKeyAsPem()
    Dim strPrivateKey As String
    Dim strNewFileName As String
    Dim nRet As Long
    ' A one-off operation
    ' Read in private key from file
    strPrivateKey = rsaReadAnyPrivateKey("AlicePrivRSASign.p8e", "password")
    Debug.Assert Len(strPrivateKey) > 0
    ' Now save in PEM format (textual)
    strNewFileName = "AliceRSA.pem"
    nRet = RSA_SaveEncPrivateKey(strNewFileName, strPrivateKey, 5000, "password", PKI_KEY_FORMAT_PEM)
    Debug.Assert nRet = 0
    Debug.Print "Saved new file " & strNewFileName
    ' Now edit this file with a text editor to copy the PEM string
End Sub

Output in PEM format

FILE: Alice.pem
(note this will different each time) 
-----BEGIN ENCRYPTED PRIVATE KEY-----
MIICojAcBgoqhkiG9w0BDAEDMA4ECFGCy5qfZqLaAgITiASCAoC+1K2nuPH2CX8/
Zc0VSVHO6wdKM18QCN2K3op7K8OMhflx7HM3h+XMvGz1PWU7O6GPKhdzkjhAfDyZ
2uKqz4E3D5q3mleCJXtizs27C3OT20NWaciecLPIWzjGBAa6M8XRzi7uvpwGO0NF
GCsst7PB5LH1QxuA7m+H8ZuqWcGtZgRgt3GanSsrFB9zxxKQS6b3KGq46Tg+MrNd
BTdyXWwRx7MY1aUz8AE8em08edsapgGfjt8A/atB4i5s5/vfcpaMh4ndALTRBb3t
pnqMOYjP3FFC719xnzJ8OtNdS9/cQ9V08pIEFrD3Jb9K7qEq8EKOi4PgIrRBRtC4
O4iA/OB+x6x3WRbUVkpvqp0YlMREtuF8xSLhX3NevEdFP8SWMqrqUb2j0i3fnBM/
xBIUv+nhdYx4yeXWXhfCN0Ic0kwFVTs1VvEmxxloERkpmDENDU6JOYrQ5AX3Ippv
KYBTjmoPVljU6iETcUUXto0jgSXwy3+GmxF/kdgb8Nlhj9A3uInA20N9iLKVFI3B
TeRxPet6uF2W/+14LApFrsgOg5ClfxpRbhTFNuydcxihoje2Evvh0rYpu1eiReEU
UEMJRSLrY9ZFDHKRWnJGcoxrUrFvCd0dGkH48jcTzb/cQ+DwRLtGJI2zyZ1bJ3Jq
vs9WPiBSm3DRUWK4VCgrufWLvl/KyLAZgEiYajZnQt1iN1VcfSURxtL+ZQG5tc7A
QE9mBC4UFSMuY2DAjmEg9PEEB2SWgk8QtliAEnYQljD+vroWe0dCV0S8iEzRlQ/B
Y9A5uYltcK1gweyvbbWhvIgfbCxjx6l6Zf3lIDe7R5UBCpPCgghOtZmVOh/fTrNB
F3j0h5Oq
-----END ENCRYPTED PRIVATE KEY-----
See the examples below on how to use this as a string.

C#

StringBuilder sbPrivateKey = Rsa.ReadPrivateKey("AlicePrivRSASign.p8e", "password");
int n = Rsa.SaveEncPrivateKey("AliceRSA1.pem", sbPrivateKey.ToString(), 5000, "password", 0, Rsa.Format.PEM);

Using a PEM string in a CryptoSys PKI RSA function

The following examples in VBA/VB6 and C# show how to sign the string "<doc>sign me<doc>" using the above RSA key passed as a hardcoded PEM string.

VBA/VB6

Public Sub MakeSigWithPemKey()
    Dim strSig64 As String
    Dim abData() As Byte
    Dim strPK As String
    ' Store private key in PEM format
    ' Hint: to avoid error "Too many line continuations", do this...
    strPK = ""
    strPK = strPK & "-----BEGIN ENCRYPTED PRIVATE KEY-----"
    strPK = strPK & "MIICojAcBgoqhkiG9w0BDAEDMA4ECFGCy5qfZqLaAgITiASCAoC+1K2nuPH2CX8/"
    strPK = strPK & "Zc0VSVHO6wdKM18QCN2K3op7K8OMhflx7HM3h+XMvGz1PWU7O6GPKhdzkjhAfDyZ"
    strPK = strPK & "2uKqz4E3D5q3mleCJXtizs27C3OT20NWaciecLPIWzjGBAa6M8XRzi7uvpwGO0NF"
    strPK = strPK & "GCsst7PB5LH1QxuA7m+H8ZuqWcGtZgRgt3GanSsrFB9zxxKQS6b3KGq46Tg+MrNd"
    strPK = strPK & "BTdyXWwRx7MY1aUz8AE8em08edsapgGfjt8A/atB4i5s5/vfcpaMh4ndALTRBb3t"
    strPK = strPK & "pnqMOYjP3FFC719xnzJ8OtNdS9/cQ9V08pIEFrD3Jb9K7qEq8EKOi4PgIrRBRtC4"
    strPK = strPK & "O4iA/OB+x6x3WRbUVkpvqp0YlMREtuF8xSLhX3NevEdFP8SWMqrqUb2j0i3fnBM/"
    strPK = strPK & "xBIUv+nhdYx4yeXWXhfCN0Ic0kwFVTs1VvEmxxloERkpmDENDU6JOYrQ5AX3Ippv"
    strPK = strPK & "KYBTjmoPVljU6iETcUUXto0jgSXwy3+GmxF/kdgb8Nlhj9A3uInA20N9iLKVFI3B"
    strPK = strPK & "TeRxPet6uF2W/+14LApFrsgOg5ClfxpRbhTFNuydcxihoje2Evvh0rYpu1eiReEU"
    strPK = strPK & "UEMJRSLrY9ZFDHKRWnJGcoxrUrFvCd0dGkH48jcTzb/cQ+DwRLtGJI2zyZ1bJ3Jq"
    strPK = strPK & "vs9WPiBSm3DRUWK4VCgrufWLvl/KyLAZgEiYajZnQt1iN1VcfSURxtL+ZQG5tc7A"
    strPK = strPK & "QE9mBC4UFSMuY2DAjmEg9PEEB2SWgk8QtliAEnYQljD+vroWe0dCV0S8iEzRlQ/B"
    strPK = strPK & "Y9A5uYltcK1gweyvbbWhvIgfbCxjx6l6Zf3lIDe7R5UBCpPCgghOtZmVOh/fTrNB"
    strPK = strPK & "F3j0h5Oq"
    strPK = strPK & "-----END ENCRYPTED PRIVATE KEY-----"

    ' Now sign some data (first first encode Unicode string as bytes)
    abData = StrConv("<doc>sign me<doc>", vbFromUnicode)
    strSig64 = sigSignData(abData, strPK, "password", "sha256WithRSAEncryption")
    Debug.Print strSig64

End Sub

C#

string pk = "-----BEGIN ENCRYPTED PRIVATE KEY-----" +
	"MIICojAcBgoqhkiG9w0BDAEDMA4ECFGCy5qfZqLaAgITiASCAoC+1K2nuPH2CX8/" +
	"Zc0VSVHO6wdKM18QCN2K3op7K8OMhflx7HM3h+XMvGz1PWU7O6GPKhdzkjhAfDyZ" +
	"2uKqz4E3D5q3mleCJXtizs27C3OT20NWaciecLPIWzjGBAa6M8XRzi7uvpwGO0NF" +
	"GCsst7PB5LH1QxuA7m+H8ZuqWcGtZgRgt3GanSsrFB9zxxKQS6b3KGq46Tg+MrNd" +
	"BTdyXWwRx7MY1aUz8AE8em08edsapgGfjt8A/atB4i5s5/vfcpaMh4ndALTRBb3t" +
	"pnqMOYjP3FFC719xnzJ8OtNdS9/cQ9V08pIEFrD3Jb9K7qEq8EKOi4PgIrRBRtC4" +
	"O4iA/OB+x6x3WRbUVkpvqp0YlMREtuF8xSLhX3NevEdFP8SWMqrqUb2j0i3fnBM/" +
	"xBIUv+nhdYx4yeXWXhfCN0Ic0kwFVTs1VvEmxxloERkpmDENDU6JOYrQ5AX3Ippv" +
	"KYBTjmoPVljU6iETcUUXto0jgSXwy3+GmxF/kdgb8Nlhj9A3uInA20N9iLKVFI3B" +
	"TeRxPet6uF2W/+14LApFrsgOg5ClfxpRbhTFNuydcxihoje2Evvh0rYpu1eiReEU" +
	"UEMJRSLrY9ZFDHKRWnJGcoxrUrFvCd0dGkH48jcTzb/cQ+DwRLtGJI2zyZ1bJ3Jq" +
	"vs9WPiBSm3DRUWK4VCgrufWLvl/KyLAZgEiYajZnQt1iN1VcfSURxtL+ZQG5tc7A" +
	"QE9mBC4UFSMuY2DAjmEg9PEEB2SWgk8QtliAEnYQljD+vroWe0dCV0S8iEzRlQ/B" +
	"Y9A5uYltcK1gweyvbbWhvIgfbCxjx6l6Zf3lIDe7R5UBCpPCgghOtZmVOh/fTrNB" +
	"F3j0h5Oq" +
	"-----END ENCRYPTED PRIVATE KEY-----";
byte[] data = System.Text.Encoding.Default.GetBytes("<doc>sign me<doc>");
string sig64 = Sig.SignData(data, pk, "password", SigAlgorithm.Rsa_Sha256);
Console.WriteLine(sig64);

Alternative formats

In the above examples we used an encrypted RSA key. You can also do the same for an unencrypted key (PrivateKeyInfo) and a public key. The CryptoSys PKI functions will accept any of the alternative formats obtained below.

Unencrypted Private RSA Key

For an unencrypted RSA private key without a password, use the following to save in PEM format 
nRet = RSA_SavePrivateKeyInfo(strNewFileName, strPrivateKey, PKI_KEY_FORMAT_PEM)

n = Rsa.SavePrivateKeyInfo("AliceRSA1.p8", sbPrivateKey.ToString(), Rsa.Format.PEM);

-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
If you need the OpenSSL private key format, use the option PKI_KEY_FORMAT_SSL/Rsa.Format.SSL 
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

Public RSA Key

For a public RSA key, use the following to save in PEM format 
strPublicKey = rsaReadAnyPublicKey("AliceRSASignByCarl.cer")
nRet = RSA_SavePublicKey(strNewFileName, strPublicKey, PKI_KEY_FORMAT_PEM)

string strPubKey = Rsa.ReadPublicKey("AliceRSASignByCarl.cer").ToString();
n = Rsa.SavePublicKey("AliceRSAPub.p1", strPubKey, Rsa.Format.PEM);

-----BEGIN RSA PUBLIC KEY-----
-----END RSA PUBLIC KEY-----
If you need the OpenSSL public key format, use the option PKI_KEY_FORMAT_SSL/Rsa.Format.SSL 
-----BEGIN PUBLIC KEY-----
-----END PUBLIC KEY-----

Contact us

To contact us or comment on this page, please send us a message.

[Go to top]

This page last updated 10 September 2025

HTML5 Powered reload
Copyright © 2020 D.I. Management Services Pty Limited t/a CryptoSys ABN 78 083 210 584 Australia. All rights reserved.
<https://di-mgt.com.au>   <https://cryptosys.net>

CryptoSys Home | CryptoSys PKI Home | Contact us