160

The following command generates a file which contains both public and private key:

openssl genrsa -des3 -out privkey.pem 2048

Source: here

With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately

How can we extract the public key from the privkey.pem file?

Thanks.

jww
  • 97,681
  • 90
  • 411
  • 885
Jake
  • 16,329
  • 50
  • 126
  • 202
  • 1
    @anish People should NOT be encouraged to paste private keys into random web forms. That's hugely disconcerting from a security perspective, and given you built that "tool" it's also self-promotion. Please remove your comment. – aendra Oct 20 '20 at 14:31

6 Answers6

236
openssl rsa -in privkey.pem -pubout > key.pub

That writes the public key to key.pub

stewe
  • 41,820
  • 13
  • 79
  • 75
  • 38
    Always is better use the internal option to do this: `-out`, for example: `openssl rsa -in privkey.pem -pubout -out key.pub` instead of redirect stdout to a file. – Juan Antonio Nov 09 '16 at 09:03
  • 3
    @JuanAntonio would it be possible for you to explain why it is better to use -out rather than redirect? Many Thanks – Banoona Mar 01 '22 at 10:30
  • I would like to know rationale for using the `-out` parameter, too. I think forwarding output is better overall because that allows the command to be run on different system and pipe the public key over ssh connection to the lesser trusted remote system. Of course, in case of e.g. permission problems, the `-out` parameter may be able to emit better diagnostics. – Mikko Rantalainen Aug 09 '22 at 15:58
162

Though, the above technique works for the general case, it didn't work on Amazon Web Services (AWS) PEM files.

I did find in the AWS docs the following command works: ssh-keygen -y

http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-key-pairs.html

edit Thanks @makenova for the complete line:

ssh-keygen -y -f key.pem > key.pub
lababidi
  • 2,654
  • 1
  • 22
  • 14
  • 39
    Thanks. This is want I needed. To skip the prompts, you can use `ssh-keygen -y -f key.pem > key.pub` – makenova May 19 '15 at 22:56
  • 7
    This is the correct answer `ssh-keygen -y -f key.pem` – Justin Jun 10 '16 at 16:47
  • 1
    this is asking me for a passphrase, but I didn't put any passphrase – kavain Mar 23 '17 at 03:35
  • 2
    @makenova This will **regenerate** the key in `key.pem`, which could prevent you from logging into instances that require that key! – SubmittedDenied May 01 '17 at 17:42
  • If you got the same problem as @kavain where it asks you for the passphrase you didn't put, and you're using your key with `ssh -i`, make sure you're [linking to your private key there, **not** the public one](https://serverfault.com/a/267994/91532) – ᴍᴇʜᴏᴠ Aug 12 '17 at 11:36
  • 1
    Can anyone elaborate why AWS is picky about the "correct answer" above? – GreenLake4964 Dec 05 '19 at 09:33
  • 1
    It sounds to me that AWS doesn't like RSA public keys in PEM format but requires the key with SSH syntax. The difference is quite small, with PEM the base64 encoded key has one line prefix in English and one line suffix in English; SSH syntax has prefix `ssh-rsa ` base64 encoding with nested additional prefix with binary zeroes and `ssh-rsa` without linefeed and no suffix. The SSH file format is special for SSH. I guess it doesn't use PEM format due historical reasons. – Mikko Rantalainen Aug 09 '22 at 16:03
12

For those interested in the details - you can see what's inside the public key file (generated as explained above), by doing this:-

openssl rsa -noout -text -inform PEM -in key.pub -pubin

or for the private key file, this:-

openssl rsa -noout -text -in key.private

which outputs as text on the console the actual components of the key (modulus, exponents, primes, ...)

cnd
  • 1,689
  • 16
  • 14
4

For AWS importing an existing public key,

  1. Export from the .pem doing this... (on linux)

    openssl rsa -in ./AWSGeneratedKey.pem -pubout -out PublicKey.pub

This will produce a file which if you open in a text editor looking something like this...

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn/8y3uYCQxSXZ58OYceG
A4uPdGHZXDYOQR11xcHTrH13jJEzdkYZG8irtyG+m3Jb6f9F8WkmTZxl+4YtkJdN
9WyrKhxq4Vbt42BthadX3Ty/pKkJ81Qn8KjxWoL+SMaCGFzRlfWsFju9Q5C7+aTj
eEKyFujH5bUTGX87nULRfg67tmtxBlT8WWWtFe2O/wedBTGGQxXMpwh4ObjLl3Qh
bfwxlBbh2N4471TyrErv04lbNecGaQqYxGrY8Ot3l2V2fXCzghAQg26Hc4dR2wyA
PPgWq78db+gU3QsePeo2Ki5sonkcyQQQlCkL35Asbv8khvk90gist4kijPnVBCuv
cwIDAQAB
-----END PUBLIC KEY-----

  1. However AWS will NOT accept this file.

    You have to strip off the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- from the file. Save it and import and it should work in AWS.

Stephen Rauch
  • 47,830
  • 31
  • 106
  • 135
Bendo
  • 41
  • 3
2

If your looking how to copy an Amazon AWS .pem keypair into a different region do the following:

openssl rsa -in .ssh/amazon-aws.pem -pubout > .ssh/amazon-aws.pub

Then

aws ec2 import-key-pair --key-name amazon-aws --public-key-material '$(cat .ssh/amazon-aws.pub)' --region us-west-2
Justin
  • 42,716
  • 77
  • 201
  • 296
  • 2
    The public key output by `openssl` is sandwiched in PEM headers, which you will have to remove before AWS CLI accepts the key. – jpsecher Apr 22 '16 at 09:49
2

use openssl to extract the pub file from the pem file as

openssl x509 -inform pem -in private_key.pem -pubkey -noout > public_key.pub
Arvind
  • 79
  • 1
  • 7