Chilkat.PrivateKey Class Overview

Chilkat.PrivateKey represents a private key and provides methods for loading, exporting, saving, converting, inspecting, and uploading private keys. It supports common private-key formats including PKCS#1, PKCS#8, encrypted PKCS#8, PEM, encrypted PEM, JWK, XML, PVK, raw Ed25519/ECDSA key material, and general “load any format” workflows.

What the Class Is Used For

Use Chilkat.PrivateKey when an application needs to import, export, convert, persist, or inspect private keys used by other Chilkat cryptographic classes. It can load keys from files or memory, export them in binary DER, PEM, JWK, XML, or raw hex formats, save them to files, derive the public key, and upload private-key material to cloud key services such as AWS KMS or Azure Key Vault.

Load Many Formats Load private keys from PKCS#1, PKCS#8, encrypted PKCS#8, PEM, encrypted PEM, JWK, XML, PVK, and other recognized formats.
Export and Convert Export private keys as DER, PEM, encrypted PEM, JWK, XML, raw hex, or encoded strings such as Base64 or hex.
Support Multiple Key Types Work with RSA, DSA, ECC/ECDSA, and Ed25519 private keys.
Integrate with Other Classes Pass private keys to classes such as Rsa, Ecc, signing classes, certificate workflows, and cloud-key upload workflows.

Typical Workflow

  1. Load a private key from memory or file using LoadAnyFormat, LoadAnyFormatFile, or a format-specific Load* method.
  2. Check KeyType and BitLength to confirm the key was loaded as expected.
  3. Use ToPublicKey when the corresponding public key is needed.
  4. Export the key in the desired format using methods such as GetPkcs8Pem, GetPkcs8EncryptedPem, GetJwk, or GetXml.
  5. Save the key to disk with SavePkcs8File, SavePkcs8PemFile, SavePkcs8EncryptedFile, or another save method.
  6. For encrypted PKCS#8 output, set Pkcs8EncryptAlg before exporting or saving.
  7. Check LastErrorText after any failed load, export, save, conversion, or upload operation.

Core Concepts

Concept Meaning Important Members
Private Key Object Holds a loaded or generated private key in memory so it can be exported, saved, converted, or used by other Chilkat classes. LoadAnyFormat, LoadAnyFormatFile, KeyType
Key Type Identifies the private-key algorithm. KeyType: rsa, dsa, ecc, ed25519
DER vs PEM DER is binary ASN.1. PEM is Base64 text with header and footer lines. GetPkcs8, GetPkcs8Pem, LoadPem
PKCS#1 vs PKCS#8 PKCS#1 is commonly associated with RSA private-key structure. PKCS#8 is a general private-key container format for multiple algorithms. GetPkcs1, GetPkcs8, LoadPkcs8
Encrypted PKCS#8 A password-protected PKCS#8 private-key format. GetPkcs8Encrypted, LoadPkcs8Encrypted, Pkcs8EncryptAlg
JWK JSON Web Key format for representing RSA, ECC, and Ed25519 private keys in JSON. LoadJwk, GetJwk, GetJwkThumbprint

Core Properties

Property Purpose Guidance
BitLength Returns the bit length, or strength, of the private key. Useful for confirming expected key size after loading or generating a key.
KeyType Returns the private-key type. Can be empty, rsa, dsa, ecc, or ed25519.
Pkcs8EncryptAlg Selects the encryption algorithm used when exporting encrypted PKCS#8. Default is 3des. Other choices include aes128, aes192, and aes256. All use CBC mode.
UncommonOptions Catch-all property for uncommon needs. Defaults to the empty string and should typically remain empty.
LastErrorText Diagnostic text for the last method or property access. Check after failures or unexpected results. Diagnostic information may be available regardless of success or failure.

Loading Private Keys

Input Format Memory Method File Method
Any recognized format LoadAnyFormat LoadAnyFormatFile
Unencrypted PEM LoadPem LoadPemFile
Encrypted PEM LoadEncryptedPem LoadEncryptedPemFile
PKCS#1 DER LoadPkcs1 LoadPkcs1File
PKCS#8 DER LoadPkcs8 LoadPkcs8File
Encrypted PKCS#8 DER LoadPkcs8Encrypted LoadPkcs8EncryptedFile
JWK LoadJwk Use file read + LoadJwk, or use LoadAnyFormatFile.
PVK LoadPvk LoadPvkFile
XML LoadXml LoadXmlFile
Raw Ed25519 key pair LoadEd25519 Not applicable.
Auto-recognition: The documentation notes that the private-key load methods auto-recognize content and parse appropriately. In many cases, a key can still load successfully even if the content is passed to a method whose name suggests a different format.

PEM and DER Format Guide

Format Typical PEM Header Purpose
PKCS#1 PEM -----BEGIN RSA PRIVATE KEY----- Common unencrypted RSA private-key PEM format.
PKCS#8 PEM -----BEGIN PRIVATE KEY----- General unencrypted private-key container format.
Encrypted PKCS#8 PEM -----BEGIN ENCRYPTED PRIVATE KEY----- Password-protected PKCS#8 private-key format.
DER Binary data, no PEM header. Binary ASN.1 representation used by PKCS#1, PKCS#8, and encrypted PKCS#8.
Encrypted PEM loading: Use LoadEncryptedPem or LoadEncryptedPemFile when the PEM contains an encrypted private key. Use LoadPem for unencrypted PKCS#1 or PKCS#8 PEM.

Exporting Private Keys

Output Format Binary / Encoded Method PEM / Text Method
JWK Not applicable. GetJwk, GetJwkThumbprint
PKCS#1 DER GetPkcs1, GetPkcs1ENC GetPkcs1Pem
PKCS#8 DER GetPkcs8, GetPkcs8ENC GetPkcs8Pem
Encrypted PKCS#8 DER GetPkcs8Encrypted, GetPkcs8EncryptedENC GetPkcs8EncryptedPem
PKCS#1 or PKCS#8 into BinData GetPkcsBd Not applicable.
Raw Ed25519 / ECDSA hex Not applicable. GetRawHex
XML Not applicable. GetXml
Encoded output: Methods ending in ENC return binary key data as text using the requested encoding, such as base64 or hex.

Saving Private Keys

Saved Format Method Notes
Unencrypted PKCS#1 PEM SavePemFile Saves the key to an unencrypted PKCS#1 PEM file.
Unencrypted PKCS#1 DER SavePkcs1File Saves binary PKCS#1 private-key data.
Unencrypted PKCS#8 DER SavePkcs8File Saves binary PKCS#8 private-key data. Starting in Chilkat v10.0.0 on macOS, keychain:<label> can be used to save to Apple Keychain.
Unencrypted PKCS#8 PEM SavePkcs8PemFile Saves a PKCS#8 PEM file.
Encrypted PKCS#8 DER SavePkcs8EncryptedFile Saves password-protected PKCS#8 DER. Encryption is controlled by Pkcs8EncryptAlg.
Encrypted PKCS#8 PEM SavePkcs8EncryptedPemFile Saves password-protected PKCS#8 PEM. Encryption is controlled by Pkcs8EncryptAlg.
XML SaveXmlFile Saves the private key in XML format.

Encrypted PKCS#8 Options

Property / Method Purpose Details
Pkcs8EncryptAlg Chooses the encryption algorithm for encrypted PKCS#8 export. Default is 3des. Also supports aes128, aes192, and aes256. All choices use CBC mode.
GetPkcs8Encrypted Exports encrypted PKCS#8 DER as bytes. Requires a password.
GetPkcs8EncryptedENC Exports encrypted PKCS#8 DER as encoded text. Requires an encoding and password.
GetPkcs8EncryptedPem Exports encrypted PKCS#8 as PEM text. Requires a password.
SavePkcs8EncryptedFile Saves encrypted PKCS#8 DER to a file. Requires a password and path.
SavePkcs8EncryptedPemFile Saves encrypted PKCS#8 PEM to a file. Requires a password and path.
Best practice: Use encrypted PKCS#8 when saving private keys to disk unless the application has a specific reason to write an unencrypted private key.

JWK and JWK Thumbprints

Method Purpose Supported Key Types
LoadJwk Loads a private key from a JSON Web Key string. RSA, ECC, and Ed25519 JWK examples are documented.
GetJwk Exports the private key in JWK format. RSA, ECC, and Ed25519.
GetJwkThumbprint Returns the JWK thumbprint for the private key according to RFC 7638. Hash algorithm is specified by the hashAlg argument.
JWK structure: RSA JWKs include values such as n, e, d, p, and q. ECC JWKs include crv, x, y, and d. Ed25519 JWKs use kty: OKP and crv: Ed25519.

Raw Hex Export for Ed25519 and ECDSA

Method Private Key Output Public Key Output
GetRawHex Returns the private key in lowercase raw hex. Writes the public key to the supplied StringBuilder.
Applicability: GetRawHex applies only to Ed25519 and ECDSA keys. RSA keys cannot be returned as a simple raw hex string because an RSA private key is composed of multiple parts, including modulus, exponent, primes, and other values.
Raw key details: Ed25519 private and public keys are 32 bytes each, or 64 hex characters. For EC keys, the private key length depends on the curve, and the public key is formatted as 04 || HEX(x) || HEX(y).

Public Key Extraction

Method Purpose Use Case
ToPublicKey Extracts the public-key portion of the private key into a PublicKey object. Use when the private key is loaded and the corresponding public key is needed for verification, encryption, publication, or comparison.

Cloud Upload

Method Purpose Inputs / Outputs
UploadToCloud Uploads the private key to a cloud service, such as AWS KMS or Azure Key Vault. Uses a JsonObject for input options and a JsonObject for output results.
Open-ended design: UploadToCloud is intentionally flexible so cloud-key upload details can be supplied through JSON.

Method Summary by Category

Category Methods Purpose
General loading LoadAnyFormat, LoadAnyFormatFile Load private keys from many recognized formats with optional password.
Format-specific loading LoadPem, LoadEncryptedPem, LoadPkcs1, LoadPkcs8, LoadPkcs8Encrypted, LoadJwk, LoadPvk, LoadXml, LoadEd25519 Load keys from a known format or key representation.
DER / PEM export GetPkcs1, GetPkcs1Pem, GetPkcs8, GetPkcs8Pem, GetPkcs8Encrypted, GetPkcs8EncryptedPem Export private keys in common binary or PEM formats.
Encoded export GetPkcs1ENC, GetPkcs8ENC, GetPkcs8EncryptedENC Return DER key data as encoded text.
JWK / XML / raw export GetJwk, GetJwkThumbprint, GetXml, GetRawHex Export private keys in JSON, XML, or raw key formats.
Saving to files SavePemFile, SavePkcs1File, SavePkcs8File, SavePkcs8PemFile, SavePkcs8EncryptedFile, SavePkcs8EncryptedPemFile, SaveXmlFile Persist the private key to disk, Apple Keychain, or XML.
Conversion / integration ToPublicKey, UploadToCloud Extract the public key or upload the private key to a cloud service.

Diagnostics and Troubleshooting

Problem Area Member What to Check
Key load failed LastErrorText Check the password, file path, input bytes, PEM text, and whether the key is encrypted.
Wrong key type after loading KeyType Confirm whether the loaded key is rsa, dsa, ecc, or ed25519.
Unexpected key strength BitLength Check the bit length after loading to ensure the expected key was imported.
Encrypted PKCS#8 output uses unexpected algorithm Pkcs8EncryptAlg Set Pkcs8EncryptAlg before calling encrypted PKCS#8 export or save methods.
Raw hex export fails GetRawHex Confirm the key is Ed25519 or ECDSA. RSA keys cannot be represented in this simple raw format.
Public key extraction fails ToPublicKey, LastErrorText Confirm the private key is valid and fully loaded.
Cloud upload fails UploadToCloud, jsonIn, jsonOut Inspect input JSON, output JSON, and LastErrorText for service-specific details.

Common Pitfalls

Pitfall Better Approach
Using LoadPem for encrypted PEM. Use LoadEncryptedPem or LoadEncryptedPemFile and provide the password.
Assuming PKCS#1 is the right output format for every key type. Use PKCS#8 for a general private-key container format, especially when working with multiple key algorithms.
Saving private keys unencrypted without considering security requirements. Prefer encrypted PKCS#8 output when storing private keys on disk.
Trying to export an RSA key using GetRawHex. Use PKCS#1, PKCS#8, PEM, JWK, or XML for RSA keys.
Forgetting to set Pkcs8EncryptAlg before encrypted export. Set it before calling encrypted PKCS#8 methods when a specific encryption algorithm is required.
Ignoring KeyType after using auto-recognition. Confirm the loaded key type before passing the key to RSA, ECC, Ed25519, or other algorithm-specific operations.

Best Practices

Recommendation Reason
Use LoadAnyFormat or LoadAnyFormatFile for flexible imports. These methods are convenient when the key format may vary.
Check KeyType and BitLength after loading. This confirms the key type and strength before using the key.
Use encrypted PKCS#8 for persisted private keys. It provides password protection and supports multiple private-key types.
Set Pkcs8EncryptAlg explicitly when policy requires AES. The default is 3des, while AES options include aes128, aes192, and aes256.
Use ToPublicKey instead of manually parsing key material. It directly extracts the public-key portion into a PublicKey object.
Use JWK for JSON-based protocols and PKCS#8/PEM for general interoperability. These formats are common in web, API, certificate, and cryptographic toolchain workflows.
Keep UncommonOptions empty unless a specific need exists. It is intended as a catch-all for uncommon behavior and normally should not be used.
Check LastErrorText after failures. It provides the most useful diagnostic detail for loading, parsing, exporting, saving, conversion, and cloud-upload operations.

Summary

Chilkat.PrivateKey is the central Chilkat class for handling private-key material. It loads private keys from many formats, exports them to PKCS#1, PKCS#8, encrypted PKCS#8, PEM, JWK, XML, raw Ed25519/ECDSA hex, and encoded strings, saves them to files, extracts the corresponding public key, and supports cloud-key upload workflows.

The most important practical guidance is to load flexibly, verify the resulting KeyType and BitLength, and use encrypted PKCS#8 when storing private keys outside protected key stores.