Re: pkey public key extraction

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote:

> I'm hoping someone can point me in the right direction.

Perhaps walk you there step by step...

> We have a pem file that a colleague believes contains a private and a public key.

More likely, a private key and a (public key) X.509 certificate (a
certificate is basically a public key enclosed in a singed name binding
attestation).

> They want to extract the public key from the file and deploy that, so
> a 3rd party service can access our system.

Typically, the 3rd party would want your certificate, though some are
sophisticated enough to directly use a "bare" public key.  The
distinction is important, so you need to check *precisely* what they're
looking for.

> The command they suggested was:
> openssl pkey -in ourcert.pem -pubout -out pubkey1.pem

This extracts a bare public key from the first private key in the PEM
file.

> The pubkey.pem file that is created only contains the public key and
> nothing else, so the 3rd party service can no longer connect to our
> system as it doesn't recognise this as a valid certificate and
> complained that it was not trusted.

This makes no sense, because if they wanted a public key, they got one.
If they wanted a certificate, they should have asked for that, and not
given you incorrect instructions for getting just the key.  It seems
they need as much hand-holding as you do. :-(

> I've read through the man pages for pkey and x509 and I've also tried
> this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem

This extracts two PEM objects, the "bare" public key *and* the
certificate (because you didn't also specify "-noout").

And apparently, it was the certificate they were looking for after all.

> The 3rd party service can now connect to our system but viewing the
> details of the pubkey2.pem file it looks identical to the original
> ourcert.pem file.

Almost identical, it wouldn't have your private key.

> Is pkey or x509 the right way to do this?

Apparently "x509", and you don't need the "-pubout" option, that's not
what they meant to ask you for.

> If it is pkey, how do I extract the public key so that it generates a
> valid certificate?

This makes no sense.  A public key is not a certificate, and does not
contain one.  It is the other way around.

-- 
    Viktor.
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux