pkey public key extraction

Viktor Dukhovni openssl-users at
Wed Sep 20 18:08:21 UTC 2023

On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote:

> I'm hoping someone can point me in the right direction.

Perhaps walk you there step by step...

> We have a pem file that a colleague believes contains a private and a public key.

More likely, a private key and a (public key) X.509 certificate (a
certificate is basically a public key enclosed in a singed name binding

> They want to extract the public key from the file and deploy that, so
> a 3rd party service can access our system.

Typically, the 3rd party would want your certificate, though some are
sophisticated enough to directly use a "bare" public key.  The
distinction is important, so you need to check *precisely* what they're
looking for.

> The command they suggested was:
> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem

This extracts a bare public key from the first private key in the PEM

> The pubkey.pem file that is created only contains the public key and
> nothing else, so the 3rd party service can no longer connect to our
> system as it doesn't recognise this as a valid certificate and
> complained that it was not trusted.

This makes no sense, because if they wanted a public key, they got one.
If they wanted a certificate, they should have asked for that, and not
given you incorrect instructions for getting just the key.  It seems
they need as much hand-holding as you do. :-(

> I've read through the man pages for pkey and x509 and I've also tried
> this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem

This extracts two PEM objects, the "bare" public key *and* the
certificate (because you didn't also specify "-noout").

And apparently, it was the certificate they were looking for after all.

> The 3rd party service can now connect to our system but viewing the
> details of the pubkey2.pem file it looks identical to the original
> ourcert.pem file.

Almost identical, it wouldn't have your private key.

> Is pkey or x509 the right way to do this?

Apparently "x509", and you don't need the "-pubout" option, that's not
what they meant to ask you for.

> If it is pkey, how do I extract the public key so that it generates a
> valid certificate?

This makes no sense.  A public key is not a certificate, and does not
contain one.  It is the other way around.


More information about the openssl-users mailing list