0

I have a requirement to generate a public-private key pair in PKCS#8 format and I need to upload a public key to the server without "BEGIN" and "END" lines.

Here are the steps I used to do that (taken from here):

openssl genrsa -out keypair.pem 2048
openssl rsa -in keypair.pem -pubout -out publickey.crt
openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key

Everything worked fine, but, when I try to upload my public key (publickey.crt), I get an error message from the server saying that public key's maximum length is 300 characters. The key I generated is 398 characters long (without "BEGIN" and "END" lines).

What am I doing wrong here?

Edit #1: The reason why I think I may be doing something wrong is because I was told that other people were able to successfully upload their keys.

tera_789
  • 489
  • 4
  • 20
  • The use case is not quite clear to me (actually I would rather expect a certificate than a public key). And is the keysize of 2048 bits a predefined requirement? Whatever, this is only a guess, but maybe the public key is required in DER encoding (instead of PEM encoding). The DER encoding can be obtained from the PEM encoding if the header and footer are removed and the rest is Base64 decoded. This will result in a bit less than 300 bytes of data (for a 2048 bits public key in X.509 format). – Topaco Jul 24 '20 at 07:27
  • @Topaco how could I do that specifically (The DER encoding can be obtained from the PEM encoding if the header and footer are removed and the rest is Base64 decoded)? – tera_789 Jul 25 '20 at 03:02
  • 1
    Remove the header (= the `-----BEGIN...` line), the footer (= the `-----END...` line) and all line breaks of the public PEM key. You can do the Base64 decoding online, e.g. [here](https://www.motobit.com/util/base64-decoder-encoder.asp) (removes line breaks automatically) and save the result in a file (_export to a binary file_ option) which will be less than 300 bytes in size with your parameters. Of course you can also Base64 decode locally/offline (with own code or other suitable tools), check the WWW for this. – Topaco Jul 25 '20 at 08:40
  • 1
    `--outform DER` would probably also do this. It isn't clear if the server requires PKCS#1 or SPKI form though, OpenSSL outputs SPKI / X.509 formatted public keys if I'm not mistaken. Both should fit into 300 bytes though (presuming a small public exponent, which is the default). (yep, confirmed) – Maarten Bodewes Jul 25 '20 at 14:17
  • Good points. If you don't succeed with the X.509 (SPKI) format, you should also try the PKCS#1 format. You get this e.g. if you replace `-pubout` with `-RSAPublicKey_out` in your 2nd OpenSSL statement (preferably with the `-outform DER` option, so that the DER encoding is applied directly without the detour via the PEM encoding). – Topaco Jul 26 '20 at 11:39

0 Answers0