pkey public key extraction

David von Oheimb it at
Fri Sep 22 05:44:01 UTC 2023

Thanks Viktor for the very good comments below.

Here is a more general side remark on a side info by Stephen Doody:

> For info we're running openssl version 1.0.2k-fips on Centos 7 in an AWS EC2 instance.
OpenSSL 1.0.2 is heavily outdated.
Meanwhile, using anything below 3.0 is discouraged and imposes more or 
less security risks.

A further motivation for upgrading to a recent OpenSSL version is that 
the OpenSSL apps like x509
meanwhile have a significantly improved documentation and offer extended 
options for advanced use.


On 20.09.23 20:08, Viktor Dukhovni wrote:
> On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote:
>> I'm hoping someone can point me in the right direction.
> Perhaps walk you there step by step...
>> We have a pem file that a colleague believes contains a private and a public key.
> More likely, a private key and a (public key) X.509 certificate (a
> certificate is basically a public key enclosed in a singed name binding
> attestation).
>> They want to extract the public key from the file and deploy that, so
>> a 3rd party service can access our system.
> Typically, the 3rd party would want your certificate, though some are
> sophisticated enough to directly use a "bare" public key.  The
> distinction is important, so you need to check *precisely* what they're
> looking for.
>> The command they suggested was:
>> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem
> This extracts a bare public key from the first private key in the PEM
> file.
>> The pubkey.pem file that is created only contains the public key and
>> nothing else, so the 3rd party service can no longer connect to our
>> system as it doesn't recognise this as a valid certificate and
>> complained that it was not trusted.
> This makes no sense, because if they wanted a public key, they got one.
> If they wanted a certificate, they should have asked for that, and not
> given you incorrect instructions for getting just the key.  It seems
> they need as much hand-holding as you do. :-(
>> I've read through the man pages for pkey and x509 and I've also tried
>> this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem
> This extracts two PEM objects, the "bare" public key *and* the
> certificate (because you didn't also specify "-noout").
> And apparently, it was the certificate they were looking for after all.
>> The 3rd party service can now connect to our system but viewing the
>> details of the pubkey2.pem file it looks identical to the original
>> ourcert.pem file.
> Almost identical, it wouldn't have your private key.
>> Is pkey or x509 the right way to do this?
> Apparently "x509", and you don't need the "-pubout" option, that's not
> what they meant to ask you for.
>> If it is pkey, how do I extract the public key so that it generates a
>> valid certificate?
> This makes no sense.  A public key is not a certificate, and does not
> contain one.  It is the other way around.
> -- 
>      Viktor.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the openssl-users mailing list