76

My questions are:

  • How to create
    • a public key
    • and a private key with OpenSSL on Windows?
  • How to put the created public key
    • in a .crt file and
    • the private one in a .pkcs8 file?

I want to use these two keys to sign a SAML assertion in Java.

Improve this question
6
  • 3
    Your question is a bit unclear. A certificate (what you usually store in a .crt file) contains a public key, but a public key in itself is not a certificate Commented Jun 10, 2017 at 14:37
  • @MathiasR.Jessen i'm trying to create a credential in opensaml-j and this latter requires a public key and private key in order to use this credential in a signature Commented Jun 10, 2017 at 14:39
  • 4
    It looks like you have three questions. The first question: How to generate RSA private key using OpenSSL? The second question is at Programmatically Create X509 Certificate using OpenSSL. The third question, save as PKCS#8, just uses i2d_RSAPrivateKey_bio. An example of writing in all the formats is also given at How to generate RSA private key using OpenSSL? Commented Jun 10, 2017 at 15:51
  • You should ask a separate question for the SAML signature. You need to provide your data, and show your code. Commented Jun 10, 2017 at 15:51
  • @jww i don't have three question i only have one the rest u mentionned in your comment about certificates i know how to do it Commented Jun 10, 2017 at 17:59

1 Answer 1

Reset to default
183

You can generate a public-private keypair with the genrsa context (the last number is the keylength in bits):

openssl genrsa -out keypair.pem 2048

To extract the public part, use the rsa context:

openssl rsa -in keypair.pem -pubout -out publickey.crt

Finally, convert the original keypair to PKCS#8 format with the pkcs8 context:

openssl pkcs8 -topk8 -inform PEM -outform PEM -nocrypt -in keypair.pem -out pkcs8.key
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

keypair.pem is identical to pkcs8.key. No need for 3rd command. Just make sure you name your private key what you want in the first command, then run the second command to generate your public key.
@ubiquibacon keypair.pem is in PKCS1 format, the third command converts it to PKCS8. So while the key is the same, the format is not. That's at least the behaviour of LibreSSL 3.3.6. Details and examples in stackoverflow.com/a/48960291/759042.
Now how can i get .pfx file ?
@Rajanboy PFX files are for storing certificates, this answer only concerns keys.
Well, yes and no. pfx is pkcs12 - a generic keystore that has, at minimum, a public key, and then optionally from none to all of: the corresponding private key for that public key, a signed or unsigned certificate containing that public key, and any certificate authorities up the chain from that leaf certificate, ideally all the way to the root, plus optional encryption of the private key material. They usually do contain the private key, signed cert, and CA chain, or else it's kinda pointless to bother using that format vs something like p7b, but only a leaf pubkey is mandatory (else empty).

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.