The private key is paired with the public key, regardless of where it's retrieved or what format it's in. This means that the x509 public key is the same public key as you would retrieve from the openssl rsa command.
Regardless: $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr This converts the already-issued certificate (contained in file.pem) into a certificate request, putting the request into 'file.csr'. I don't know if it's possible to extract it using the command-line tools directly from the certificate, but I do know that it can be extracted from a CSR generated from the certificate. $ openssl req -in file.csr -pubkey -noout This takes the 'file.csr' certificate request, extracts the public key from it, and prints it. $ openssl req -in file.csr -pubkey -outform PEM -out pubkey.pem This takes the 'file.csr' certificate request, extracts the public key from it, and writes it to pubkey.pem. I am not personally familiar with OpenCA, so I don't know where the CSRs are stored (if indeed they're stored at all). OpenSSL stores the requests in files. What tool is it you're using for DKIM? Perhaps if I can find out what that tool expects, I can find a way to make it possible. (Technically, if you're using OpenCA, you're using OpenLDAP to store all of the issued certificates -- and those certificates contain the keys necessary.) I am sorry that I didn't understand that you're running this on the server, disseminating information for verifiers. This explains a lot. :) -Kyle H On 5/4/07, Janet N <[EMAIL PROTECTED]> wrote:
Hello, > > Why do you need to get the public key at the time the certificate is > issued? You already have it. We are using DKIM (domain key signing), it uses not the x509 public key, but the public key of the private key. The idea is to extract the rsa public key at the time the CA issue the cert and load this rsa public key to a db. This program is run against the CA. > The CA can extract the public key from the certificate request. I see, so I can't extract the public key -----BEGIN PUBLIC KEY----- MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCg8yo6rDhsNiwUfVR37HgF4bWq oG13Nd9XLT+Z0VLzCkWJZOdzGNQnnm7ujoQ8gbxeDvIo9RG5I3eZteBwD91Nf6P/ E9lvJQDL2Qnz4EXH/CVW9DeEfvY1UJN9kc6q6KkYEPWssvVvlDOp2slbEKZCJtaP vVuGCAqfaps8J0FjOQIDAQAB -----END PUBLIC KEY----- from the already issued certificate? > The certificate contains the public key. > But you already have the public key, since you sent the certificate > request in the first place, and you have the private key that the > public key was generated with. The user won't be the one extracting the public key but the program running against the CA server. > > But, you could try: > > $ openssl x509 -inform PEM -in file.pem -x509toreq -out file.csr > $ openssl req -in file.csr -pubkey -noout > > (the '-noout' can be replaced with '-outform pem -out publickey.pem ' > if you need it to go to a file.) hmm, I'm running openca so I'm not sure where the certificate request are located at. Where are they located at in openssl? thanks, Janet > -Kyle H > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] >
-- -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
