44

I have the requirement to extract the public key (RSA) from a *.cer file. I wish to extract the key and store it in a .pem file so I can use its value to encrypt values using jsencrypt.

The following command converts a .cer to .pem:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Yet it doesn't generate a file with the public key but a file with the contents of the *.cer file.

-----BEGIN CERTIFICATE-----
MIICPDCCAamgAwIBAg............
*lots of extra contents*
-----END CERTIFICATE-----

What command should I use to extract the public key and store it in a .pem file?

Steven Anderson
  • 8,398
  • 4
  • 27
  • 32
  • Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See [What topics can I ask about here](http://stackoverflow.com/help/on-topic) in the Help Center. Perhaps [Super User](http://superuser.com/) or [Unix & Linux Stack Exchange](http://unix.stackexchange.com/) would be a better place to ask. Also see [Where do I post questions about Dev Ops?](http://meta.stackexchange.com/q/134306) – jww Sep 22 '16 at 13:59
  • 23
    Fighting with these things is often a developer's lot. There are a lot of questions on SO about certificate management. It's not Super User or Linux or Dev Ops, all of which aren't specific enough. I believe this is in fact the correct place. – Ghoti Aug 17 '17 at 12:51

2 Answers2

93

Using this command I was able to generate the .pem with the contents of the public key.

openssl x509 -inform der -in certificate.cer -pubkey -noout > certificate_publickey.pem

Which produces:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsM+whXrxmbCkPfkwY2EehYpIp
*blah blah blah blah*
-----END PUBLIC KEY-----
Steven Anderson
  • 8,398
  • 4
  • 27
  • 32
  • 4
    Thanks. Just a correction: for a .cer file input, the `inform` parameter should be `der` – Gobe May 25 '16 at 15:56
  • 2
    I was pretty sure that what I wrote in my answer was correct and did work for me... I did use `-inform pem`. Although if `-inform der` works too, then that's cool. – Steven Anderson Apr 27 '17 at 06:01
  • 33
    For anyone else trying this, `-inform DER` would not work for me, but `-inform PEM` works. – Andrew Corkery Jan 30 '18 at 11:35
  • OMG I looked for this so long. This is mind blowing for me that instead of `-out` we should use `-noout` with redirection to file. I tried to extract pub key from PEM file received from Google OAuth jwks_url v1 so now I finally did it. Thank you – Sergey Ponomarev Feb 01 '20 at 18:18
  • 1
    Although the OP's intent is to use this with `jsencrypt` so his question was answered, it specifically asks about an RSA (PKCS#1) public key, but this answer appears to offer a PKCS#8 formatted public key. Is the OP's original question possible? The difference is the RSA public keys start with `BEGIN RSA PUBLIC KEY` as opposed to the PKCS#8 which start with `BEGIN PUBLIC KEY`. If I can find the answer on my own, I will supply it as an alternate solution. – tresf Jul 07 '21 at 18:11
  • The solution to my question (RSA format, per OP's original request) is available here: https://stackoverflow.com/a/27930720/3196753 – tresf Jul 07 '21 at 18:20
3

Solution for PowerShell:

$certFile = "[path to .cer file]"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certFile)
$cer.PublicKey.Key.ToXmlString($false)

Solution from C#:

string certificate = @"<PATH TO .CER>"; 
X509Certificate2 cert = new X509Certificate2(certificate); 
string xml = cert.GetRSAPublicKey().ToXmlString(false);
amy8374
  • 1,450
  • 3
  • 17
  • 26