Generating public ed25519 key with OpenSSL

Question

I'm using this command to generate private ed25519 key:

openssl genpkey -algorithm ed25519 -out private.pem

and this is the example result:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIAYIsKL0xkTkAXDhUN6eDheqODEOGyFZ04jsgFNCFxZf
-----END PRIVATE KEY-----

So then I want to generate a public key based on this private key and I do it like this:

openssl pkey -in private.pem -out public.pem

but with this command I still get a private key that looks like this:

-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIAYIsKL0xkTkAXDhUN6eDheqODEOGyFZ04jsgFNCFxZf
-----END PRIVATE KEY-----

Additionally, this private and "public" key is not 32-bytes, but 64. What's wrong with my command?

The [`-pubout`](https://www.openssl.org/docs/man1.1.1/man1/openssl-pkey.html) option is missing. — Topaco, May 07 '22 at 10:49
Ooh thanks. But do you know why this is 60 bytes long instead of 32? Likewise, the private key is 64 bytes long instead of 32. — Szyszka947, May 07 '22 at 11:23
Your public key has the X.509/SPKI format. The *raw* key contained in it is 32 bytes in size, check the key in an ASN.1 parser e.g. https://lapo.it/asn1js/. Similarly, the same applies to the private key having the PKCS#8 format — Topaco, May 07 '22 at 11:31
What are you see is a Base64 encoded ASN.1 certificate (called PEM format). You can generate the cert in raw binary format: `openssl genpkey -algorithm ed25519 -outform DER -out test25519.der`. The resulted file is 48 bytes. Now you can use https://keystore-explorer.org/ then click Examine Certificate, chose the cert (pem or der), no any password so just click Enter and you'll see the cert details. Click on ASN and the `OCTET STRING` is HEX encoded key and it's raw bytes — Sergey Ponomarev, Jun 25 '22 at 00:39
Also may be useful https://mta.openssl.org/pipermail/openssl-users/2018-March/007777.html — Sergey Ponomarev, Jun 25 '22 at 00:54

score 7 · Accepted Answer · answered Sep 24 '22 at 20:34

7

This will return the public key as a file.

openssl pkey -in private.pem -pubout -out public.pem

answered Sep 24 '22 at 20:34

Danny G

score 1 · Answer 2 · answered Jul 26 '22 at 06:25

1

The question duplicates next gen pubkey openssl ed25519 and the answer has been given.

openssl pkey -in ed25519key.pem -pubout

answered Jul 26 '22 at 06:25

Alexred

2 Answers2