Hi Kyle and RT, I want to know the status of the bug that "-out" of openssl does not redirect the stdout to a file. Instead the command below prints the entire certificate to pubkey.pem and the extracted cert (pubkey) to the screen:
$ openssl x509 -inform pem -in cert.pem -pubkey -out pubkey.pem -outform pem Is there a way I can extract the pubkey from a csr (certificate signing request) using openssl? I want to avoid using ">" for redirection to stdout if possible. Thanks, Janet On 5/5/07, Kyle Hamilton <[EMAIL PROTECTED]> wrote:
Thanks for the info on DKIM. $ openssl x509 -inform pem -in cacert.pem -noout -pubkey This will do what you want, but it is suboptimal, as it outputs the key onto stdout (which can be redirected to a file). I consider this to be bugged, based on available documentation. The documentation states that '-out [file]' is supposed to redirect the output to file, and that -pubkey is supposed to output the public key. Hence, I'd expect: $ openssl x509 -inform pem -in cert.pem -pubkey -out pubkey.pem -outform pem to output only the public key to pubkey.pem. The observed behavior is that it prints the public key to stdout, while outputting the entire certificate to pubkey.pem. This is confusing. cc:'ed to RT for issue management. -Kyle H On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote: > Hi Kyle, > > > > > > What tool is it you're using for DKIM? > > > > DKIM uses openssl library to produce a public and private key. The private > key should be saved on a MTA server. The public key will used in the DNS TXT > record for DKIM. They use the following openssl command below to produce > the public and private key: > > Enter the following command to generate your private key: > > > openssl genrsa -out rsa.private 1024 > Enter the following command to generate your public key: > > > openssl rsa -in rsa.private -out rsa.public -pubout -outform PEM > > The public key entry in DNS TXT record looks like the following: > > mail._domainkey.example.com. IN TXT "k=rsa; t=y; > p=MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f5MxU83x/0b > sn4R4p7waPaz1IbOGs/6bm5QIDAQAB" > > The string after p= is the base64 encoding of your public key. > > If the rsa.public file which was generated contains > > > -----BEGIN PUBLIC KEY----- > MEwwPQRJKoZIhvcNADAQCQADOwAwOAIxANPpYHdE2tevfEpvL1Tk2dDYv0pF28/f > 5MxU83x/0bsn4R4p7waPaz1IbOGs/6bm5QIDAQAB > -----END PUBLIC KEY----- > > > You can find more info about DKIM setup using openssl pub and priv keys at: > http://www.elandsys.com/resources/sendmail/dkim.html > > > > > that tool expects, I can find a way to make it possible. > > (Technically, if you're using OpenCA, you're using OpenLDAP to store > > all of the issued certificates -- and those certificates contain the > > keys necessary.) > > > > I am sorry that I didn't understand that you're running this on the > > server, disseminating information for verifiers. This explains a lot. > > :) > > > > -Kyle H > > > > On 5/4/07, Janet N < [EMAIL PROTECTED]> wrote: > > > > > > Hello, > > > > > > > > > > > Why do you need to get the public key at the time the certificate is > > > > issued? You already have it. > > > > > > We are using DKIM (domain key signing), it uses not the x509 public key, > but > > > the public key of the private key. The idea is to extract the rsa > public > > > key at the time the CA issue the cert and load this rsa public key to a > db. > > > This program is run against the CA. > > > > > > > The CA can extract the public key from the certificate request. > > > > > > I see, so I can't extract the public key > > > -----BEGIN PUBLIC KEY----- > > > > MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq > > > > oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/ > > > > E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP > > > vVuGCAqfaps8J0FjOQIDAQAB > > > -----END PUBLIC KEY----- > > > > > > from the already issued certificate? > > > > > > > The certificate contains the public key. > > > > But you already have the public key, since you sent the certificate > > > > request in the first place, and you have the private key that the > > > > public key was generated with. > > > > > > > > > The user won't be the one extracting the public key but the program > running > > > against the CA server. > > > > > > > > > > > But, you could try: > > > > > > > > $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr > > > > $ openssl req -in file.csr -pubkey -noout > > > > > > > > (the '-noout' can be replaced with '-outform pem -out publickey.pem ' > > > > if you need it to go to a file.) > > > > > > hmm, I'm running openca so I'm not sure where the certificate request > are > > > located at. Where are they located at in openssl? > > > > > > thanks, > > > Janet > > > > > > > -Kyle H > > > > > > > > ______________________________________________________________________ > > > > OpenSSL Project > > > http://www.openssl.org > > > > User Support Mailing List openssl-users@openssl.org > > > > Automated List Manager > > > [EMAIL PROTECTED] > > > > > > > > > > > > > > > > -- > > > > -Kyle H > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List openssl-users@openssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > > -- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
