How to extract the RSA public key from a .cer and store it in a .pem using OpenSSL?

Asked 21/1, 2015 at 5:22 Answered 12/4, 2021 at 20:30

I have the requirement to extract the public key (RSA) from a *.cer file. I wish to extract the key and store it in a .pem file so I can use its value to encrypt values using jsencrypt.

The following command converts a .cer to .pem:

openssl x509 -inform der -in certificate.cer -out certificate.pem

Yet it doesn't generate a file with the public key but a file with the contents of the *.cer file.

-----BEGIN CERTIFICATE-----
MIICPDCCAamgAwIBAg............
*lots of extra contents*
-----END CERTIFICATE-----

What command should I use to extract the public key and store it in a .pem file?

Axinomancy answered 21/1, 2015 at 5:22 Comment(2)

Stack Overflow is a site for programming and development questions. This question appears to be off-topic because it is not about programming or development. See What topics can I ask about here in the Help Center. Perhaps Super User or Unix & Linux Stack Exchange would be a better place to ask. Also see Where do I post questions about Dev Ops? – Primrosa 22/9, 2016 at 13:59

Fighting with these things is often a developer's lot. There are a lot of questions on SO about certificate management. It's not Super User or Linux or Dev Ops, all of which aren't specific enough. I believe this is in fact the correct place. – Louisville 17/8, 2017 at 12:51

Using this command I was able to generate the .pem with the contents of the public key.

openssl x509 -inform der -in certificate.cer -pubkey -noout > certificate_publickey.pem

Which produces:

-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCsM+whXrxmbCkPfkwY2EehYpIp
*blah blah blah blah*
-----END PUBLIC KEY-----

Axinomancy answered 21/1, 2015 at 5:22 Comment(6)

Thanks. Just a correction: for a .cer file input, the inform parameter should be der – Willful 25/5, 2016 at 15:56

I was pretty sure that what I wrote in my answer was correct and did work for me... I did use -inform pem. Although if -inform der works too, then that's cool. – Axinomancy 27/4, 2017 at 6:1

For anyone else trying this, -inform DER would not work for me, but -inform PEM works. – Juggernaut 30/1, 2018 at 11:35

OMG I looked for this so long. This is mind blowing for me that instead of -out we should use -noout with redirection to file. I tried to extract pub key from PEM file received from Google OAuth jwks_url v1 so now I finally did it. Thank you – Mountainside 1/2, 2020 at 18:18

Although the OP's intent is to use this with jsencrypt so his question was answered, it specifically asks about an RSA (PKCS#1) public key, but this answer appears to offer a PKCS#8 formatted public key. Is the OP's original question possible? The difference is the RSA public keys start with BEGIN RSA PUBLIC KEY as opposed to the PKCS#8 which start with BEGIN PUBLIC KEY. If I can find the answer on my own, I will supply it as an alternate solution. – Suspension 7/7, 2021 at 18:11

The solution to my question (RSA format, per OP's original request) is available here: https://mcmap.net/q/143498/-how-can-i-transform-between-the-two-styles-of-public-key-format-one-quot-begin-rsa-public-key-quot-the-other-is-quot-begin-public-key-quot – Suspension 7/7, 2021 at 18:20

Solution for PowerShell:

$certFile = "[path to .cer file]"
$cer = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2($certFile)
$cer.PublicKey.Key.ToXmlString($false)

Solution from C#:

string certificate = @"<PATH TO .CER>"; 
X509Certificate2 cert = new X509Certificate2(certificate); 
string xml = cert.GetRSAPublicKey().ToXmlString(false);

Aerie answered 12/4, 2021 at 20:30 Comment(0)

Recommended topics

Hot tags