Hi Kyle,
What tool is it you're using for DKIM?
DKIM uses openssl library to produce a public and private key. The private key should be saved on a MTA server. The public key will used in the DNS TXT record for DKIM. They use the following openssl command below to produce the public and private key: - Enter the following command to generate your private key: openssl genrsa -out rsa.private 1024 - Enter the following command to generate your public key: openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM The public key entry in DNS TXT record looks like the following: mail._domainkey.example.com. IN TXT "k=rsa; t=y; p=MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0b sn4R4p7waPaz1IbOGs/6bm5QIDAQAB" The string after *p=* is the base64 encoding of your public key. If the *rsa.public* file which was generated contains -----BEGIN PUBLIC KEY----- MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB -----END PUBLIC KEY----- You can find more info about DKIM setup using openssl pub and priv keys at: http://www.elandsys.com/resources/sendmail/dkim.html that tool expects, I can find a way to make it possible.
(Technically, if you're using OpenCA, you're using OpenLDAP to store all of the issued certificates -- and those certificates contain the keys necessary.) I am sorry that I didn't understand that you're running this on the server, disseminating information for verifiers. This explains a lot. :) -Kyle H On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote: > > Hello, > > > > > Why do you need to get the public key at the time the certificate is > > issued? You already have it. > > We are using DKIM (domain key signing), it uses not the x509 public key, but > the public key of the private key. The idea is to extract the rsa public > key at the time the CA issue the cert and load this rsa public key to a db. > This program is run against the CA. > > > The CA can extract the public key from the certificate request. > > I see, so I can't extract the public key > -----BEGIN PUBLIC KEY----- > MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq > oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/ > E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP > vVuGCAqfaps8J0FjOQIDAQAB > -----END PUBLIC KEY----- > > from the already issued certificate? > > > The certificate contains the public key. > > But you already have the public key, since you sent the certificate > > request in the first place, and you have the private key that the > > public key was generated with. > > > The user won't be the one extracting the public key but the program running > against the CA server. > > > > > But, you could try: > > > > $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr > > $ openssl req -in file.csr -pubkey -noout > > > > (the '-noout' can be replaced with '-outform pem -out publickey.pem ' > > if you need it to go to a file.) > > hmm, I'm running openca so I'm not sure where the certificate request are > located at. Where are they located at in openssl? > > thanks, > Janet > > > -Kyle H > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > > -- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
