A Practical Guide to Extracting Public Keys from Certificates and Saving in PEM Format Using OpenSSL

Keywords: OpenSSL | Public Key Extraction | PEM Format | Certificate Management | S/MIME Encryption

Abstract: This article provides a comprehensive guide on using OpenSSL to extract public keys from X.509 certificates and save them in PEM format. It analyzes common error scenarios and offers specific solutions for both command-line and interactive modes, including proper usage of the -noout parameter, handling output redirection, and verification techniques for public key formats. The article also explores the importance of public key management in secure communication contexts, particularly in S/MIME email encryption applications.

Fundamentals of OpenSSL Public Key Extraction

In public key infrastructure (PKI) systems, extracting public keys from digital certificates is a common security operation requirement. OpenSSL, as a widely used cryptography toolkit, provides various certificate processing functions. Users often need to isolate public keys from certificates for various security application scenarios.

Common Error Analysis

Many users encounter issues where the output contains complete certificate information when attempting to extract public keys. This is typically caused by missing critical parameters. The original command:

openssl x509 -in E:/mycert.pem -pubkey -out E:/mypubkey.pem

The problem with this command is the absence of the -noout parameter, causing OpenSSL to output the complete certificate information rather than just the public key portion.

Correct Command-Line Mode Solution

Direct execution in the system command line is the simplest and most effective approach:

openssl x509 -pubkey -noout -in cert.pem > pubkey.pem

Key parameter explanations:

-pubkey: Specifies public key extraction
-noout: Prevents output of certificate itself information
> pubkey.pem: Uses output redirection to save results

Alternative Approach in Interactive Mode

When output redirection operators are unavailable, execute in OpenSSL interactive mode:

openssl> x509 -pubkey -noout -in cert.pem

After execution, public key information will be directly output to the terminal:

Users can manually copy the terminal output and save it to a pubkey.pem file.

Public Key Format Verification

The extracted public key should conform to PEM format standards, containing clear beginning and ending markers. Use the following command to verify extraction results:

openssl pkey -in pubkey.pem -pubin -text -noout

This command displays detailed public key information, including algorithm type, key length, etc., ensuring the extraction operation completed successfully.

Practical Application Scenarios

In practical applications such as S/MIME email encryption, public key extraction is a crucial aspect of certificate management. Users need to convert .p12 files to .pem format and then extract public keys for secure communication. Although this process is technically complex, it is essential for establishing end-to-end encrypted communication.

Best Practice Recommendations

To simplify certificate management processes, consider:

Establishing standardized certificate processing documentation
Providing graphical tools for users unfamiliar with command-line operations
Implementing automated certificate distribution mechanisms in enterprise environments
Performing regular certificate updates and key rotation

Conclusion

By correctly using OpenSSL's -noout parameter, pure public key information can be efficiently extracted from certificates. Both command-line and interactive modes can meet different user requirements. In actual deployments, combining specific application scenarios with comprehensive certificate management strategies can significantly enhance system security and usability.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.