pkey public key extraction

Tomas Mraz tomas at
Wed Sep 20 13:26:53 UTC 2023

On Wed, 2023-09-20 at 07:28 +0000, Doody, Stephen via openssl-users
> Classification: Public
> Hi,
> I'm hoping someone can point me in the right direction.
> We have a pem file that a colleague believes contains a private and a
> public key.
> They want to extract the public key from the file and deploy that, so
> a 3rd party service can access our system.
> The command they suggested was:
> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem
> The pubkey.pem file that is created only contains the public key and
> nothing else, so the 3rd party service can no longer connect to our
> system as it doesn't recognise this as a valid certificate and
> complained that it was not trusted.
> I've read through the man pages for pkey and x509 and I've also tried
> this:
> openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem
> The 3rd party service can now connect to our system but viewing the
> details of the pubkey2.pem file it looks identical to the original
> ourcert.pem file.
> Is pkey or x509 the right way to do this?
> If it is pkey, how do I extract the public key so that it generates a
> valid certificate?
> For info we're running openssl version 1.0.2k-fips on Centos 7 in an
> AWS EC2 instance.
> Thanks for any suggestions.
> Steve

The x509 command does not output private keys. That means if the output
of it (pubkey2.pem) is identical to the input file (ourcert.pem), the
input file does not contain any private keys. For the input file to
contain a private key it would have to have the -----BEGIN PRIVATE KEY-
---- or similar PEM header with KEY in the name. A certificate has a --
---BEGIN CERTIFICATE----- header.

Tomáš Mráz, OpenSSL

More information about the openssl-users mailing list