From 0f890e0efb67794e51e8401be54d9c21a01fe0dd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Wei=C3=9Fe?= <dw@edgeless.systems>
Date: Wed, 5 Feb 2025 09:38:23 +0100
Subject: [PATCH] docs: add hint about converting key to PKCS#8 format
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Daniel Weiße <dw@edgeless.systems>
---
 .../version-1.7/workflows/recover-coordinator.md    | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/docs/versioned_docs/version-1.7/workflows/recover-coordinator.md b/docs/versioned_docs/version-1.7/workflows/recover-coordinator.md
index a357b1a3..3f707193 100644
--- a/docs/versioned_docs/version-1.7/workflows/recover-coordinator.md
+++ b/docs/versioned_docs/version-1.7/workflows/recover-coordinator.md
@@ -26,6 +26,19 @@ Assuming you named your recovery key `recoverKey1` in the manifest, and you save
 jq -r '.RecoverySecrets.recoverKey1' recovery_data | openssl base64 -d > recovery_key_encrypted
 ```
 
+:::caution
+
+If you generated the private recovery key using `openssl` version 1, the key will be in PKCS #1 format.
+MarbleRun requires the key to be in PKCS #8 format.
+
+Use the following command to convert the key:
+
+```bash
+openssl pkcs8 -topk8 -inform PEM -outform PEM -in private_key.pem -out private_key_pkcs8.pem -nocrypt
+```
+
+:::
+
 Then decrypt and upload the extracted secret using the MarbleRun CLI:
 
 ```bash