> From: owner-openssl-us...@openssl.org On Behalf Of Adriana Rodean > Sent: Friday, 19 June, 2009 00:55
> I have a certificate in der format, from it with this command > i generate a public key: <snip: x509 -pubkey to pem> > How can i obtain a public key like the following? Either from > certificate or from this public key? <snip ssh pubkey format> > This was obtained with this command: > > ssh-keygen -y -f private_key1.pem > public_key1.pub > Not easily with (just) openssl. openssl pubkey files use the ASN.1 X.509 KeyInfo wrapping of, for an RSA key as here, the PKCS#1 representation, optionally base64ed. ssh, at least openssh, FOR PUBLIC KEYS, uses its own representation, which is a series of items each with a 4-byte length field, base64ed, and inserted into a text line with at least one other field. (This allows multiple pubkeys to be combined into one file simply.) To convert directly, you'll have to: de-base64; pick out the fields from the openssl ASN.1 representation; reformat them into the openssh representation; en-base64; add the openssh tag. openssl enc -a [-d] can do the de-base64 and (nearly) en-base64, if you don't have other tools. openssl rsa -pubin -text -noout, or openssl asn1parse -offset as_needed_here_22, can extract the fields, but in text form(s) which must be parsed back into binary; it's not clear this is easier than just parsing the DER. This is probably 10-20 lines of perl (assuming you have perl), or 50-100ish of C depending on robustness and style. Someone may well have already done it, but I wouldn't know where to look. openssh DOES use openssl format(s) for PRIVATE KEY files, and as you already know, ssh-keygen can extract from such a privatekey file to its publickey format. That's the easy way. Why do you have a (X.509) cert for an ssh key anyway? That doesn't really make sense, unless someone is using the same key for multiple applications, which is rarely a good idea and almost never necessary. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
