> From: owner-openssl-us...@openssl.org On Behalf Of Panikulam Vivek > Sent: Thursday, 23 September, 2010 10:53
> I have generated a private key using the below command and > want to extract the public key in a format that is compatible > with sites using Java. > openssl genrsa -out priv_key.txt 1024 > Is there a command in openssl that will extract the public key > for this private key in a cert file or xml format that is compatible > with Java sites? For a certificate: you can't 'extract' a cert from a keypair because a cert contains much more information than the publickey. You can get a cert *containing* your publickey by several methods which are nearly equivalent in principle but different in detail: 1. generate a CSR (certificate signing request) with openssl req -new [-config $conf] -key priv_key.txt -out $req # uses default config (must exist) if you don't specify one # if you have your own config it can also specify the keyfile send CSR to a CA which issues a cert. Often this costs money. This cert can be imported to a Java truststore/keystore by standard keytool, IF either the CA is in the existing (shipped or customized) truststore, or the user decides (is persuaded) to trust it manually. For other programs that might read a cert, it depends on the program. 2. set up your own (basic) CA with openssl, generate a CSR as above, and use 'openssl ca' to issue a cert for it. This setup is a bit more complicated, more than I have time to check and type right now, but there's undoubtedly lots of webpages, some possibly correct. 3. create just a CA keypair and (selfsigned) CA cert with openssl (even more basic), generate a CSR as above, and openssl x509 -req -in $req [-CAkey $CAkey] -CA $CAcert -out $cert {[-CAserial $file] [-CAcreateserial] | -set_serial $hexnum} These two use a (pseudo)CA you create yourself, so to have its certs trusted automatically, you (or your users) must put your DIY CA cert in their Java's truststore(s), normally JRE/lib/security/cacerts . 4. create a CSR as above and self-sign it openssl x509 -req in $req -signkey priv_key.txt -out $cert or simpler 5. generate a self-signed cert directly openssl req -new -x509 -key priv_key.txt [-config $conf] -out $cert These self-signed certs must always be trusted manually. There are various extension data-items that can be included in a CSR to be copied in the cert at the choice of the CA, and/or directly put in the cert by the action of the CA. In case 2 you are the CA and can do both; in 3 and 4 you can put extensions in the cert (but AFAIK not copy); in 5 you can directly put extensions. Whether your 'Java site' needs any of these extensions depends on what your 'Java site' is. For SSL using default SSLSocket's (JSSE) to trust an issuer, IME no extensions are needed and a plain v1 cert works fine. > Note: I have used below command to extract public key > in default PEM format. But the vendor requires the key format > to be one which is compatible with Java. > openssl rsa -in priv_key.txt -out pub_key.txt -pubout Java, specifically the default SunRsaSign factory, is certainly able to handle X509-style publickeyinfo-RSA generated (and used) by openssl, in DER format, which you can easily create by adding -outform DER to that command (and changing the filename as appropriate). The mapping to and from PEM is (almost) orthogonal to the contents, and could easily be written separately, but I have not found exported by standard Java. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org