Openssl Public Key From Certificate

From time to time it may be necessary to verify what certificate is being presented by the server that you are connecting to. Sometimes this is a SMTP server or it could be a web server. While there are multiple methods that can be used to validate a certificate presented from a server I am going to be focusing on openssl here.

OpenSSL is a robust, commercial-grade, and full-featured toolkit for the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols. OpenSSL is available for multiple platforms including Linux, MacOS & Windows (via gnuwin32). For this article I will be using the Windows version of OpenSSL which can be downloaded from

KeyOpenssl Public Key From CertificateOpenssl Public Key From Certificate
  1. Openssl rsa -noout -modulus -in FILE.key openssl req -noout -modulus -in FILE.csr openssl x509 -noout -modulus -in FILE.cer If everything matches (same modulus), the files are compatible public key-wise (but this does not guaranty the private key is valid). If not, one of the file is not related to the others.
  2. Openssl rsa -in myprivkey.pem -inform PEM -out myprivkey.der -outform DER openssl rsa -in myprivkey.pem -pubout -out mypubkey.der -outform DER Parsing the private key works fine and I can successfully extract the public key components from this key to encrypt and decrypt a message (using rsaPub.SetModulus(n); rsaPub.SetPublicExponent(e.

How to extract public key from certificate? Recently I had to extract the public key from a certificate. Each time I do this I end up looking up the man pages for openssl and so I thought I’d blog it for myself and for others to use when needed. $ openssl x509 -inform pem -in certificate.pem -pubkey -noout publickey.pem Enjoy. To output only the public key to a local file named publickey.pem: openssl req -in csr.txt -noout -pubkey -out publickey.pem. You can view the (PEM-encoded) key on the terminal without putting it in a file by dropping the last argument: openssl req -in csr.txt -noout -pubkey. Find Out a Key Length from an SSL Certificate. Find out a key size from a file with the certificate (certificate.crt), using OpenSSL: $ openssl x509 -in certificate.crt -text -noout grep 'Public-Key' RSA Public-Key: (2048 bit) Determine a Key Length from an HTTPS Site. Find out a key size from an https website, lets say

The syntax that we use depends on what type of server we are querying. To query a web server you would do the following:

To query a smtp server you would do the following:

Where <server> is replaced with the fully qualified domain name (FQDN) of the server we want to check. The output generated contains multiple sections with --- spearators between them. The following example is showing a connection on port 443 against The first section presented is around the connection information:

The next section contains details about the certificate chain:

The actual public server certificate is next:

Following the server certificate we see the Certificate Subject and Issuer:

Openssl Extract Public Key From Certificate Pfx

If there is a client certificate sent it would be presented next:

We next see details about the particular SSL handshake that occurred:

Next if we query a SMTP server on port 25 with the -starttls smtp parameters we will get back the information from that server. Below is an example of one of the output from this type of query:

In both of these examples the typical information that we use in troubleshooting is the certifcate chain.
e.g. 1:

e.g. 2:

Depending on the problem I'm dealing with I'll make a determination on how I want to proceed next. If the system you are connecting from is receiving regular root certificate updates there shouldn't be any issues with the root certificates.

The most common issue that I see around certificates is missing root certificates. These problems are easily resolved by ensuring that you have installed the most recent root certificate update for your system.

Openssl Generate Public Key

If you find that the proper root certificates have been installed on the system the next thing to check is that you can reach the certificate revolcation list (CRL) to verify that the certificate is still valid. This requires internet access and on a Windows system can be checked using certutil.

At the very bottom of the output you should see:

Openssl Extract Public Key From Certificate Cer

If you don't have access to the internet you will see an error at this point.