109

I am using the below openssl command for storing my public key into a .pem file.

openssl> x509 -in E:/mycert.pem -pubkey  -out E:/mypubkey.pem

But when i try to use this command, it is storing the whole certificate info in the mypubkey.pem file.

I have seen that i can save my public key using

openssl> x509 -pubkey -noout -in cert.pem > pubkey.pem

But it is throwing an error. I can't use ">" operator.

Alastair McCormack
  • 26,573
  • 8
  • 77
  • 100
Ankit
  • 1,330
  • 2
  • 11
  • 16

3 Answers3

250

There are a couple ways to do this.

First, instead of going into openssl command prompt mode, just enter everything on one command line from the Windows prompt:

E:\> openssl x509 -pubkey -noout -in cert.pem  > pubkey.pem

If for some reason, you have to use the openssl command prompt, just enter everything up to the ">". Then OpenSSL will print out the public key info to the screen. You can then copy this and paste it into a file called pubkey.pem.

openssl> x509 -pubkey -noout -in cert.pem

Output will look something like this:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAryQICCl6NZ5gDKrnSztO
3Hy8PEUcuyvg/ikC+VcIo2SFFSf18a3IMYldIugqqqZCs4/4uVW3sbdLs/6PfgdX
7O9D22ZiFWHPYA2k2N744MNiCD1UE+tJyllUhSblK48bn+v1oZHCM0nYQ2NqUkvS
j+hwUU3RiWl7x3D2s9wSdNt7XUtW05a/FXehsPSiJfKvHJJnGOX0BgTvkLnkAOTd
OrUZ/wK69Dzu4IvrN4vs9Nes8vbwPa/ddZEzGR0cQMt0JBkhk9kU/qwqUseP1QRJ
5I1jR4g8aYPL/ke9K35PxZWuDp3U0UPAZ3PjFAh+5T+fc7gzCs9dPzSHloruU+gl
FQIDAQAB
-----END PUBLIC KEY-----
gtrig
  • 12,550
  • 5
  • 28
  • 36
  • Ty for replying. Second approach is acceptable. But i want to save it through the command prompt itself. I dont have openssl installed on my system. I am using the binaries directly to run openssl command prompt. The version i am using is openssl-0.9.8k_WIN32. SO when i try to run the 1st command in windows prompt it is showing error. – Ankit Jun 18 '13 at 06:03
  • 2
    What error are you seeing when you run the 1st command? Did you get the openssl version here -> [https://code.google.com/p/openssl-for-windows/](https://code.google.com/p/openssl-for-windows/) or somewhere else? – gtrig Jun 19 '13 at 20:01
  • Yes i am using the same openssl version. – Ankit Jun 20 '13 at 07:34
  • 3
    You can use the binaries to run from the windows command line like my first example. Instead of running openssl.exe (with no arguments) to get an openssl prompt, type openssl.exe followed by the rest of the arguments on the same line just like my first example. If you go straight to the openssl prompt first, you are correct that an error will occur when you try to use ">". But if you put it all on the same line, it will work. – gtrig Jun 20 '13 at 09:33
  • Thank You gtrig :). I got the output now. – Ankit Jun 20 '13 at 12:47
  • we can use ```-out pubkey.pem``` instead of ```> pubkey.pem```. so we dont change default STDOUT. final command is ```openssl x509 -pubkey -noout -in cert.pem -out pubkey.pem``` – Ali Dahaghin Mar 30 '21 at 04:46
15

if it is a RSA key

openssl rsa  -pubout -in my_rsa_key.pem

if you need it in a format for openssh , please see Use RSA private key to generate public key?

Note that public key is generated from the private key and ssh uses the identity file (private key file) to generate and send public key to server and un-encrypt the encrypted token from the server via the private key in identity file.

Community
  • 1
  • 1
Alex Punnen
  • 5,287
  • 3
  • 59
  • 71
  • It is good that you touch on the format. And no response is inquiring for details on the expected format. Should it be p1 or p12. – nethero Sep 16 '21 at 11:59
4

I am not sure why the other answers have such high upvotes. They do not solve the two problems presented in the question. A key point to the problem is the openssl command interpreter is being used and not the shell prompt.

Problem #1 - the certificate is written with the public key.

I am using the below openssl command for storing my public key into a .pem file.

openssl> x509 -in E:/mycert.pem -pubkey -out E:/mypubkey.pem But when i try to use this command, it is storing the whole certificate info in the mypubkey.pem file.

The solution is to add the command argument -noout.

Problem #2 - ">" operator is not supported:

openssl> x509 -pubkey -noout -in cert.pem > pubkey.pem

But it is throwing an error. I can't use ">" operator.

The solution is to add the -out <filename> command parameter.

Solution:

openssl> x509 -pubkey -in cert.pem -noout -out pubkey.pem

John Hanley
  • 74,467
  • 6
  • 95
  • 159
  • You're not supposed to put those at the openssl prompt. You're supposed to run them as parameters to the openssl command. – Terry Hardie Dec 26 '22 at 06:11
  • 1
    @TerryHardie - Openssl supports a command prompt. The question is how to use the command prompt. If OpenSSL did not want you to use a command prompt, OpenSSL would not offer one. – John Hanley Dec 27 '22 at 05:29
  • The command prompt is designed for an interactive session. You issue a command, read the response. The parameters on the command line are used it you want to capture the output and write it to a file or feed it to another program. They serve different purposes. For "Problem #1", you probably just need to add the "-notext" switch to remove the data you don't want. For problem #2, you can't use ">" - That's a shell feature. Instead, you'd use -out as suggested. – Terry Hardie Dec 28 '22 at 06:38
  • @TerryHardie - If you have a better answer, then post one. – John Hanley Dec 28 '22 at 06:52