> From: owner-openssl-us...@openssl.org On Behalf Of Panikulam Vivek
> Sent: Thursday, 23 September, 2010 10:53
> I have generated a private key using the below command and
> want to extract the public key in a format that is compatible
> with sites using Java.
> openssl genrsa -out priv_key.txt 1024
> Is there a command in openssl that will extract the public key
> for this private key in a cert file or xml format that is compatible
> with Java sites?
For a certificate: you can't 'extract' a cert from a keypair
because a cert contains much more information than the publickey.
You can get a cert *containing* your publickey by several methods
which are nearly equivalent in principle but different in detail:
1. generate a CSR (certificate signing request) with
openssl req -new [-config $conf] -key priv_key.txt -out $req
# uses default config (must exist) if you don't specify one
# if you have your own config it can also specify the keyfile
send CSR to a CA which issues a cert. Often this costs money.
This cert can be imported to a Java truststore/keystore by standard
keytool, IF either the CA is in the existing (shipped or customized)
truststore, or the user decides (is persuaded) to trust it manually.
For other programs that might read a cert, it depends on the program.
2. set up your own (basic) CA with openssl, generate a CSR as above,
and use 'openssl ca' to issue a cert for it. This setup is a bit more
complicated, more than I have time to check and type right now,
but there's undoubtedly lots of webpages, some possibly correct.
3. create just a CA keypair and (selfsigned) CA cert with openssl
(even more basic), generate a CSR as above, and
openssl x509 -req -in $req [-CAkey $CAkey] -CA $CAcert -out $cert
{[-CAserial $file] [-CAcreateserial] | -set_serial $hexnum}
These two use a (pseudo)CA you create yourself, so to have its certs
trusted automatically, you (or your users) must put your DIY CA cert
in their Java's truststore(s), normally JRE/lib/security/cacerts .
4. create a CSR as above and self-sign it
openssl x509 -req in $req -signkey priv_key.txt -out $cert
or simpler 5. generate a self-signed cert directly
openssl req -new -x509 -key priv_key.txt [-config $conf] -out $cert
These self-signed certs must always be trusted manually.
There are various extension data-items that can be included
in a CSR to be copied in the cert at the choice of the CA,
and/or directly put in the cert by the action of the CA.
In case 2 you are the CA and can do both; in 3 and 4
you can put extensions in the cert (but AFAIK not copy);
in 5 you can directly put extensions.
Whether your 'Java site' needs any of these extensions
depends on what your 'Java site' is. For SSL using default
SSLSocket's (JSSE) to trust an issuer, IME no extensions
are needed and a plain v1 cert works fine.
> Note: I have used below command to extract public key
> in default PEM format. But the vendor requires the key format
> to be one which is compatible with Java.
> openssl rsa -in priv_key.txt -out pub_key.txt -pubout
Java, specifically the default SunRsaSign factory, is
certainly able to handle X509-style publickeyinfo-RSA
generated (and used) by openssl, in DER format, which
you can easily create by adding -outform DER to that
command (and changing the filename as appropriate).
The mapping to and from PEM is (almost) orthogonal to
the contents, and could easily be written separately,
but I have not found exported by standard Java.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
