pkey public key extraction
Viktor Dukhovni
openssl-users at dukhovni.org
Wed Sep 20 18:08:21 UTC 2023
On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote:
> I'm hoping someone can point me in the right direction.
Perhaps walk you there step by step...
> We have a pem file that a colleague believes contains a private and a public key.
More likely, a private key and a (public key) X.509 certificate (a
certificate is basically a public key enclosed in a singed name binding
attestation).
> They want to extract the public key from the file and deploy that, so
> a 3rd party service can access our system.
Typically, the 3rd party would want your certificate, though some are
sophisticated enough to directly use a "bare" public key. The
distinction is important, so you need to check *precisely* what they're
looking for.
> The command they suggested was:
> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem
This extracts a bare public key from the first private key in the PEM
file.
> The pubkey.pem file that is created only contains the public key and
> nothing else, so the 3rd party service can no longer connect to our
> system as it doesn't recognise this as a valid certificate and
> complained that it was not trusted.
This makes no sense, because if they wanted a public key, they got one.
If they wanted a certificate, they should have asked for that, and not
given you incorrect instructions for getting just the key. It seems
they need as much hand-holding as you do. :-(
> I've read through the man pages for pkey and x509 and I've also tried
> this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem
This extracts two PEM objects, the "bare" public key *and* the
certificate (because you didn't also specify "-noout").
And apparently, it was the certificate they were looking for after all.
> The 3rd party service can now connect to our system but viewing the
> details of the pubkey2.pem file it looks identical to the original
> ourcert.pem file.
Almost identical, it wouldn't have your private key.
> Is pkey or x509 the right way to do this?
Apparently "x509", and you don't need the "-pubout" option, that's not
what they meant to ask you for.
> If it is pkey, how do I extract the public key so that it generates a
> valid certificate?
This makes no sense. A public key is not a certificate, and does not
contain one. It is the other way around.
--
Viktor.
More information about the openssl-users
mailing list