Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Export Public Key from an p12-file

I have an p12-file exported from the Firefox-Browser. And now I want to extract the public key to give them to friends (not the whole p12-file).

I used OpenSSL-Windows32 and convert the p12 into an pem, after that I tryed to export the public key from the pem.

Thats the syntax I used:

openssl pkcs12 -in pgp.p12 -clcerts -out pgp.pem
openssl pkey -in pgp.pem -pubout -out pub.pem

Now I have the pub.pem with contains something like this:

-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9......
-----END PUBLIC KEY-----

Is that the right way to export the pub-file? And can I give the pgp.pem to my friends without risks?

like image 815
bastey Avatar asked Aug 14 '13 11:08

bastey


1 Answers

Based on your filenames, it looks like you may have a PGP key. Is that correct?

These may work with PGP as well, but for a non-PGP key, I would extract the public key with these commands:

openssl pkcs12 -in mykeystore.p12 -clcerts -nokeys -out mycert.pem
openssl x509 -pubkey -in mycert.pem -noout > mypubkey.pem

The -nokeys option prevents the output of private keys.

If you're using Windows and the above command is stuck, try adding winpty before openssl:

winpty openssl pkcs12 -in mykeystore.p12 -clcerts -nokeys -out mycert.pem

Public keys and certificates can generally be given out freely without a problem. You obviously don't want to give out the private key, but the public parts are fine.

One thing to note though...most of the time, you want to give out the certificate, not just the key by itself. The certificate (obtained from the first command above) contains the public key and contains a signature by someone who is associating that key with a particular identity.

For example, Verisign will sign a certificate containing your public key. You can then give this certificate to your friends, and since they trust Verisign, they know that is indeed your public key.

If you just email your public key to your friends, there is a possibility someone could intercept the public key and place their own key in the email before it got to your friends. They would mistakenly think they had your key when they had someone else's key. If they tried to encrypt with it, that person would be able to decode everything.

So if you don't use a certificate, at least verify your friends got the correct key by confirming the hash of the key by telephone or in person.

like image 153
gtrig Avatar answered Oct 17 '22 15:10

gtrig