3

With a public key as PEM, how can this be converted to DER format using openssl? Please note that this is not a x509 certificate. Also this question is about EC (ECDSA) public keys not RSA and using openssl not C, C++ or some other programming language

-----BEGIN PUBLIC KEY-----
xxx
-----END PUBLIC KEY-----
Improve this question

2 Answers 2

Reset to default
1

Try:

openssl pkey -pubin -in ec_pub.pem -outform DER -out ec_pub.der
Improve this answer
5
  • 1
    openssl ec -inform PEM -outform DER -pubin -in mypublic.pem.key -out mypublic.der.key Commented Jan 4, 2024 at 20:06
  • You can answer your own questions on here... Commented Jan 4, 2024 at 20:16
  • @code2535 This answer look OK , see man openssl-pkey. Did you have any issue? Commented Jan 4, 2024 at 20:57
  • sslshopper.com/article-most-common-openssl-commands.html lists a PEM -> DER conversion command for x509, but my reading of man openssl-ec indicates similar options will work for elliptic curve keys (openssl ec instead of openssl x509). Commented Jan 5, 2024 at 4:38
  • When I looked on the internet, I did not find the answer. After posting this question, I found it with openssl ec as I posted as a comment to @garethTheRed answer. I did not answer my own question as I do not have enough reputation points yet. I prefer the openssl ec to openssl pkey but that is just a perference Commented Jan 8, 2024 at 23:04
1

The PEM format consists of -----BEGIN …----- line, a Base64-encoded body and an -----END …----- line. If you just want to convert to DER (binary), you just need to extract the body and convert it from Base64 to binary.

(This is for plaintext, i.e. non-encrypted files. Encrypted PEM files have additional information that describes the encryption method. You typically can't usefully just extract the DER, you have to decrypt it, because the Base64-encoded part doesn't have any metadata about the encryption method.)

You can do this generically with the openssl enc -base64 command, which can be abbreviated to openssl base64.

openssl base64 -d -in myfile.pem -out myfile.der

Note that if you wanted to use a straight Base64 decoder, such as base64, you would need to strip of the begin/end lines.

<myfile.pem grep '^[^-]' | base64 -d >myfile.der

Alternatively, with openssl, you can use the management command that's specific to the particular kind of data you're dealing with. (Many kinds of data can be handled by more than one openssl command, for various reasons.) Manipulating a PUBLIC KEY is the job of openssl pkey. Pass -outform DER to indicate that you want DER output (-inform PEM is optional because that's the default). Pass -pubin to indicate that the input is a public key (by default, openssl pkey expects a private key).

openssl pkey -pubin -in myfile.pem -outform DER -out myfile.der

If you happen to know that the key is an EC key, openssl ec -pubin -in myfile.pem -outform DER also works, but there's no advantage in using ec unless you need the command to work with antique versions of OpenSSL that are no longer supported.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.