How to extract a public key using OpenSSL

A public key can be shared with certificate portals, signature verifiers, and teammates while the matching private key stays protected on the host that owns it. Extracting the public portion with OpenSSL creates a separate PEM file for registration or comparison without copying private-key material into tickets or chat.

The openssl pkey command reads private keys by default. Adding -pubout changes the output to the key's public components, and -out writes those components to a file instead of printing them to the terminal.

Start with an existing private key that OpenSSL can parse. Use a different output filename from the source private key, because OpenSSL can replace an output file in place, and inspect the result with openssl pkey -pubin so the public-key file is read as public material.

Steps to extract a public key using OpenSSL:

Move to the directory that contains the private key.
```
$ cd ~/tls-keys
```
Confirm OpenSSL can read the source private key before extracting anything.
```
$ openssl pkey -in server.key -check -noout
Key is valid
```
If the key is encrypted, OpenSSL prompts for the passphrase. For unattended use, read the passphrase from a protected file with -passin file:key.pass instead of putting the passphrase text in shell history.

Related: How to remove a private key passphrase using OpenSSL
Write the public key to a separate PEM file.
```
$ openssl pkey -in server.key -pubout -out server-public.pem
```
Do not reuse the private-key path as the -out value. Writing server.key as the output path replaces the private-key file with public-key content.
Validate the extracted public key.
```
$ openssl pkey -pubin -in server-public.pem -pubcheck -noout
Key is valid
```
-pubin tells OpenSSL to read server-public.pem as a public key. Without it, openssl pkey expects a private key by default.

Inspect the public-key details when a receiving system asks for the key type or size.

$ openssl pkey -pubin -in server-public.pem -text_pub -noout
Public-Key: (2048 bit)
Modulus:
    00:b9:9e:6e:70:8e:f1:20:50:30:8c:e3:e7:7b:1f:
    28:5c:8d:a1:4c:86:33:27:70:f7:e9:ca:5f:05:b7:
##### snipped
Exponent: 65537 (0x10001)

The printed modulus and exponent identify the public side of an RSA key. Elliptic-curve keys print curve and point details instead.

Confirm the private key still parses after writing the separate public-key file.
```
$ openssl pkey -in server.key -check -noout
Key is valid
```
Keep server.key private. Only server-public.pem is appropriate to share or paste into a public-key field.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.