Thanks Viktor for the very good comments below.
Here is a more general side remark on a side info by Stephen
Doody:
OpenSSL 1.0.2 is heavily outdated.For info we're running openssl version 1.0.2k-fips on Centos 7 in an AWS EC2 instance.
Meanwhile, using anything below 3.0 is discouraged and imposes more or less security risks.
A further motivation for upgrading to a recent OpenSSL version is that the OpenSSL apps like x509
meanwhile have a significantly improved documentation and offer extended options for advanced use.
David
On 20.09.23 20:08, Viktor Dukhovni
wrote:
On Wed, Sep 20, 2023 at 07:28:46AM +0000, Doody, Stephen via openssl-users wrote:I'm hoping someone can point me in the right direction.Perhaps walk you there step by step...We have a pem file that a colleague believes contains a private and a public key.More likely, a private key and a (public key) X.509 certificate (a certificate is basically a public key enclosed in a singed name binding attestation).They want to extract the public key from the file and deploy that, so a 3rd party service can access our system.Typically, the 3rd party would want your certificate, though some are sophisticated enough to directly use a "bare" public key. The distinction is important, so you need to check *precisely* what they're looking for.The command they suggested was: openssl pkey -in ourcert.pem -pubout -out pubkey1.pemThis extracts a bare public key from the first private key in the PEM file.The pubkey.pem file that is created only contains the public key and nothing else, so the 3rd party service can no longer connect to our system as it doesn't recognise this as a valid certificate and complained that it was not trusted.This makes no sense, because if they wanted a public key, they got one. If they wanted a certificate, they should have asked for that, and not given you incorrect instructions for getting just the key. It seems they need as much hand-holding as you do. :-(I've read through the man pages for pkey and x509 and I've also tried this: openssl x509 -in ourcert.pem -pubkey -out pubkey2.pemThis extracts two PEM objects, the "bare" public key *and* the certificate (because you didn't also specify "-noout"). And apparently, it was the certificate they were looking for after all.The 3rd party service can now connect to our system but viewing the details of the pubkey2.pem file it looks identical to the original ourcert.pem file.Almost identical, it wouldn't have your private key.Is pkey or x509 the right way to do this?Apparently "x509", and you don't need the "-pubout" option, that's not what they meant to ask you for.If it is pkey, how do I extract the public key so that it generates a valid certificate?This makes no sense. A public key is not a certificate, and does not contain one. It is the other way around.-- Viktor.
