On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote: > I'm hoping someone can point me in the right direction. Perhaps walk you there step by step... > We have a pem file that a colleague believes contains a private and a public key. More likely, a private key and a (public key) X.509 certificate (a certificate is basically a public key enclosed in a singed name binding attestation). > They want to extract the public key from the file and deploy that, so > a 3rd party service can access our system. Typically, the 3rd party would want your certificate, though some are sophisticated enough to directly use a "bare" public key. The distinction is important, so you need to check *precisely* what they're looking for. > The command they suggested was: > openssl pkey -in ourcert.pem -pubout -out pubkey1.pem This extracts a bare public key from the first private key in the PEM file. > The pubkey.pem file that is created only contains the public key and > nothing else, so the 3rd party service can no longer connect to our > system as it doesn't recognise this as a valid certificate and > complained that it was not trusted. This makes no sense, because if they wanted a public key, they got one. If they wanted a certificate, they should have asked for that, and not given you incorrect instructions for getting just the key. It seems they need as much hand-holding as you do. :-( > I've read through the man pages for pkey and x509 and I've also tried > this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pem This extracts two PEM objects, the "bare" public key *and* the certificate (because you didn't also specify "-noout"). And apparently, it was the certificate they were looking for after all. > The 3rd party service can now connect to our system but viewing the > details of the pubkey2.pem file it looks identical to the original > ourcert.pem file. Almost identical, it wouldn't have your private key. > Is pkey or x509 the right way to do this? Apparently "x509", and you don't need the "-pubout" option, that's not what they meant to ask you for. > If it is pkey, how do I extract the public key so that it generates a > valid certificate? This makes no sense. A public key is not a certificate, and does not contain one. It is the other way around. -- Viktor.