How to extract public key using OpenSSL?

Question

The following command generates a file which contains both public and private key:

openssl genrsa -des3 -out privkey.pem 2048

Source: here

With OpenSSL, the private key contains the public key information as well, so a public key doesn't need to be generated separately

How can we extract the public key from the privkey.pem file?

Thanks.

@anish People should NOT be encouraged to paste private keys into random web forms. That's hugely disconcerting from a security perspective, and given you built that "tool" it's also self-promotion. Please remove your comment. — aendra, Oct 20 '20 at 14:31

score 215 · Accepted Answer · answered Apr 22 '12 at 19:19

215

openssl rsa -in privkey.pem -pubout > key.pub

That writes the public key to key.pub

answered Apr 22 '12 at 19:19

stewe

35

Always is better use the internal option to do this: `-out`, for example: `openssl rsa -in privkey.pem -pubout -out key.pub` instead of redirect stdout to a file. – Juan Antonio Nov 09 '16 at 09:03
2

@JuanAntonio would it be possible for you to explain why it is better to use -out rather than redirect? Many Thanks – Banoona Mar 01 '22 at 10:30

lababidi · Answer 2 · 2018-03-17T13:29:29.337

149

Though, the above technique works for the general case, it didn't work on Amazon Web Services (AWS) PEM files.

I did find in the AWS docs the following command works: ssh-keygen -y

edit Thanks @makenova for the complete line:

ssh-keygen -y -f key.pem > key.pub

edited Mar 17 '18 at 13:29

answered May 01 '14 at 17:36

lababidi

38

Thanks. This is want I needed. To skip the prompts, you can use `ssh-keygen -y -f key.pem > key.pub` – makenova May 19 '15 at 22:56
6

This is the correct answer `ssh-keygen -y -f key.pem` – Justin Jun 10 '16 at 16:47
1

this is asking me for a passphrase, but I didn't put any passphrase – kavain Mar 23 '17 at 03:35
2

@makenova This will **regenerate** the key in `key.pem`, which could prevent you from logging into instances that require that key! – SubmittedDenied May 01 '17 at 17:42
If you got the same problem as @kavain where it asks you for the passphrase you didn't put, and you're using your key with `ssh -i`, make sure you're [linking to your private key there, **not** the public one](https://serverfault.com/a/267994/91532) – mehov Aug 12 '17 at 11:36
Can anyone elaborate why AWS is picky about the "correct answer" above? – GreenLake4964 Dec 05 '19 at 09:33

score 12 · Answer 3 · answered Dec 03 '13 at 13:44

For those interested in the details - you can see what's inside the public key file (generated as explained above), by doing this:-

openssl rsa -noout -text -inform PEM -in key.pub -pubin

or for the private key file, this:-

openssl rsa -noout -text -in key.private

which outputs as text on the console the actual components of the key (modulus, exponents, primes, ...)

score 4 · Answer 4 · edited Nov 19 '17 at 02:16

For AWS importing an existing public key,

Export from the .pem doing this... (on linux)

openssl rsa -in ./AWSGeneratedKey.pem -pubout -out PublicKey.pub

This will produce a file which if you open in a text editor looking something like this...

However AWS will NOT accept this file.

You have to strip off the -----BEGIN PUBLIC KEY----- and -----END PUBLIC KEY----- from the file. Save it and import and it should work in AWS.

and if you need to convert this format to `ssh-rsa AAAAB3NzaC1y....` run : `ssh-keygen -f PublicKey.pub -i -mPKCS8` — Rafael Milewski, May 18 '18 at 04:46

score 2 · Answer 5 · answered Jul 24 '15 at 20:54

2

If your looking how to copy an Amazon AWS .pem keypair into a different region do the following:

openssl rsa -in .ssh/amazon-aws.pem -pubout > .ssh/amazon-aws.pub

Then

aws ec2 import-key-pair --key-name amazon-aws --public-key-material '$(cat .ssh/amazon-aws.pub)' --region us-west-2

answered Jul 24 '15 at 20:54

Justin

2

The public key output by `openssl` is sandwiched in PEM headers, which you will have to remove before AWS CLI accepts the key. – jpsecher Apr 22 '16 at 09:49

score 0 · Answer 6 · answered Oct 25 '21 at 09:10

0

use openssl to extract the pub file from the pem file as

openssl x509 -inform pem -in private_key.pem -pubkey -noout > public_key.pub

answered Oct 25 '21 at 09:10

Arvind

6 Answers6