47

We're trying to implement some functionality of a Web-Service from one of our partners. Now, the content which is beeing transmitted, should be encrypted with a public key, which we have to provide.

The security-specification says that the public-certificate has to be X.509 standard. Doesn't X.509 rely on the private / public key method? Because I only get one .pem file, containing a private key, and a certificate, but no public key, using the following command:

openssl req -new -x509 -days 365 -nodes -out ./cert.pem -keyout ./cert.pem

Do I have to modify the command in order to create a private and a public key?

Ahatius
  • 4,777
  • 11
  • 49
  • 79

3 Answers3

127

The basics command line steps to generate a private and public key using OpenSSL are as follow

openssl genrsa -out private.key 1024
openssl req -new -x509 -key private.key -out publickey.cer -days 365
openssl pkcs12 -export -out public_privatekey.pfx -inkey private.key -in publickey.cer

Step 1 – generates a private key

Step 2 – creates a X509 certificate (.cer file) containing your public key which you upload when registering your private application (or upgrading to a partner application).

Step 3 – Export your x509 certificate and private key to a pfx file. If your chosen wrapper library uses the .pem file to sign requests then this step is not required.

This answer explains the different file extensions.

starball
  • 20,030
  • 7
  • 43
  • 238
LorDFaKeR
  • 1,286
  • 1
  • 8
  • 3
  • 1
    I'm not quite sure what the 3rd command does, but it seems to work quite nicely with the privatekey.pem and the publickey.cer. Thanks! – Ahatius May 16 '13 at 13:38
  • In this example, does `privatekey.pem` contain just the private key or the public key as well? – Isaac Kleinman Jan 15 '14 at 14:59
  • 5
    You are using the wrong file extension in your first command. You should use `.key` instead of `.pem`, to avoid confusion. The resulting file will be simply a private key. Someone might send the `.pem` file to someone else by mistake, creating a security problem. – w0rp Apr 20 '15 at 10:19
  • 1
    I've spent so much time reading articles and posts trying to generate a .PFX file so I can utilize it for SAML single sign on. Your second line of code was the silver bullet - I haven't seen anyone mention using the -x509 argument. Everyone has it generating the CSR which I don't need my cert signed in this case. – Chris Smith Apr 28 '16 at 06:44
  • For other users: If some error if config, follow: https://stackoverflow.com/questions/7360602/openssl-and-error-in-reading-openssl-conf-file – Jhonatan Pereira Feb 13 '19 at 17:14
16

Public key is stored inside of x.509 certificate. Certificate binds identity information (common name, address, whatever else) to this public key.

Nickolay Olshevsky
  • 13,706
  • 1
  • 34
  • 48
  • 3
    Well, in my case there is a **BEGIN CERTIFICATE** and a **BEGIN PRIVATE KEY**. Is the CERTIFICATE my public key? And can I split those two into seperate files, so the other side doesn't get to see the private key? – Ahatius May 10 '13 at 11:45
  • 4
    Yes, CERTIFICATE part is the certificate (base64-encoded, with public key), PRIVATE KEY - is, doh, the private key. You can (and actually SHOULD) separate them and send only certificate part to other party. – Nickolay Olshevsky May 10 '13 at 11:57
  • 3
    Ok, thank you alot. I'll send them the CERTIFICATE part then :) I'd like to upvote, but obviously I reached my daily vote limit :O – Ahatius May 10 '13 at 11:59
8

Create a private-public key pair. 

openssl req -x509 -newkey rsa:2048 -keyout private.key -out public.cert -days 365

Optionally, combine the pair into a single file.

openssl pkcs12 -export -inkey private.key -in public.cert -out certificate.pfx

This results in the following files. 

private.key
certificate.pfx
public.cert

See also

Community
  • 1
  • 1
Shaun Luttin
  • 133,272
  • 81
  • 405
  • 467