pkey public key extraction
David von Oheimb
it at von-Oheimb.de
Fri Sep 22 05:44:01 UTC 2023
Thanks Viktor for the very good comments below.
Here is a more general side remark on a side info by Stephen Doody:
> For info we're running openssl version 1.0.2k-fips on Centos 7 in an AWS EC2 instance.
OpenSSL 1.0.2 is heavily outdated.
Meanwhile, using anything below 3.0 is discouraged and imposes more or
less security risks.
A further motivation for upgrading to a recent OpenSSL version is that
the OpenSSL apps like x509
meanwhile have a significantly improved documentation and offer extended
options for advanced use.
David
On 20.09.23 20:08, Viktor Dukhovni wrote:
> On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote:
>
>> I'm hoping someone can point me in the right direction.
> Perhaps walk you there step by step...
>
>> We have a pem file that a colleague believes contains a private and a public key.
> More likely, a private key and a (public key) X.509 certificate (a
> certificate is basically a public key enclosed in a singed name binding
> attestation).
>
>> They want to extract the public key from the file and deploy that, so
>> a 3rd party service can access our system.
> Typically, the 3rd party would want your certificate, though some are
> sophisticated enough to directly use a "bare" public key. The
> distinction is important, so you need to check *precisely* what they're
> looking for.
>
>> The command they suggested was:
>> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem
> This extracts a bare public key from the first private key in the PEM
> file.
>
>> The pubkey.pem file that is created only contains the public key and
>> nothing else, so the 3rd party service can no longer connect to our
>> system as it doesn't recognise this as a valid certificate and
>> complained that it was not trusted.
> This makes no sense, because if they wanted a public key, they got one.
> If they wanted a certificate, they should have asked for that, and not
> given you incorrect instructions for getting just the key. It seems
> they need as much hand-holding as you do. :-(
>
>> I've read through the man pages for pkey and x509 and I've also tried
>> this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem
> This extracts two PEM objects, the "bare" public key *and* the
> certificate (because you didn't also specify "-noout").
>
> And apparently, it was the certificate they were looking for after all.
>
>> The 3rd party service can now connect to our system but viewing the
>> details of the pubkey2.pem file it looks identical to the original
>> ourcert.pem file.
> Almost identical, it wouldn't have your private key.
>
>> Is pkey or x509 the right way to do this?
> Apparently "x509", and you don't need the "-pubout" option, that's not
> what they meant to ask you for.
>
>> If it is pkey, how do I extract the public key so that it generates a
>> valid certificate?
> This makes no sense. A public key is not a certificate, and does not
> contain one. It is the other way around.
>
> --
> Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20230922/907bb401/attachment.htm>
More information about the openssl-users
mailing list