PEM (originally “Privacy Enhanced Mail”) file was initially invented to make e-mail secure. Now it is an Internet security standard. PEM file is the most common format for X.509 certificates, CSRs, and cryptographic keys.
Table of Contents
What is a PEM file
A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–).
PEM is defined in RFC 1422 (part of a series from 1421 through 1424). It is a container format that may include just the public certificate or may include an entire certificate chain including public key, private key, and root certificates.
It can have a variety of extensions (.pem, .key, .cer, .cert, more). The typical PEM files are:
- key.pem contains the private encryption key
- cert.pem contains certificate information
PEM format
PEM file has the characteristics of containing a header, the body (which consists mainly of code) and footer.
The header and footer are what identify the type of file, however, be aware that not all PEM files necessarily need them.
—–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– show a CSR in PEM format.
—–BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– show a private key in PEM format.
—–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– show a certificate file in PEM format.
If the PEM file includes the SSL certificate chain, the format would look like this.
—–BEGIN CERTIFICATE—–
//end-user
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
//intermediate
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
//root
—–END CERTIFICATE—–
Example of PEM file
The following example is a private key pem file.
—–BEGIN PRIVATE KEY—–
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDBj08sp5++4anG
cmQxJjAkBgNVBAoTHVByb2dyZXNzIFNvZnR3YXJlIENvcnBvcmF0aW9uMSAwHgYD
VQQDDBcqLmF3cy10ZXN0LnByb2dyZXNzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQAD
…
bml6YXRpb252YWxzaGEyZzIuY3JsMIGgBggrBgEFBQcBAQSBkzCBkDBNBggrBgEF
BQcwAoZBaHR0cDovL3NlY3VyZS5nbG9iYWxzaWduLmNvbS9jYWNlcnQvZ3Nvcmdh
z3P668YfhUbKdRF6S42Cg6zn
—–END PRIVATE KEY—–
This is an example of a root certificate pem file.
# Trust chain root certificate
—–BEGIN CERTIFICATE—–
MIIDdTCCAl2gAwIBAgILBAAAAAABFUtaw5QwDQYJKoZIhvcNAQEFBQAwVzELMAkG
YWxTaWduIG52LXNhMRAwDgYDVQQLEwdSb290IENBMRswGQYDVQQDExJHbG9iYWxT
aWduIFJvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDaDuaZ
…
jc6j40+Kfvvxi4Mla+pIH/EqsLmVEQS98GPR4mdmzxzdzxtIK+6NiY6arymAZavp
38NflNUVyRRBnMRddWQVDf9VMOyGj/8N7yy5Y0b2qvzfvGn9LhJIZJrglfCm7ymP
HMUfpIBvFSDJ3gyICh3WZlXi/EjJKSZp4A==
—–END CERTIFICATE—–
Check PEM certificate file with OpenSSL Command
OpenSSL is an open-source command-line tool that is commonly used to generate private keys, create CSRs, install our SSL/TLS certificate, and identify certificate information. openssl x509 -text -in server.pem -noout
Example:
openssl x509 -in hydssl.cer -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
40:01:6e:fb:0a:20:5c:fa:eb:e1:8f:71:d7:3a:bb:78
Signature Algorithm: sha256WithRSAEncryption
Issuer: C=US, O=IdenTrust, CN=IdenTrust Commercial Root CA
Validity
Not Before: Dec 12 16:56:15 2019 GMT
Not After : Dec 12 16:56:15 2029 GMT
Subject: C=US, O=IdenTrust, OU=HydrantID Trusted Certificate Service, CN=HydrantID Server CA O1
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:ea:1b:99:6c:35:56:30:68:fb:5d:b1:59:41:69:
PEM Files with SSH
PEM files are also used for SSH. If we have ever run ssh-keygen to use ssh without a password, ~/.ssh/id_rsa is a PEM file, just without the extension. Most notably, Amazon Web Services gives us a PEM file containing a private key whenever we create a new instance, and we must use this key to be able to SSH into new EC2 instances.
we can use the -i flag with ssh to specify that we want to use this new key instead of id_rsa: ssh -i keyfile.pem root@host
Convert to PEM format
The default format of the certificate differs depending on its provider or the way it was created. Most of the time, the certificate is a PEM file that can be used easily.
There will be cases where the certificate will be a file with a different format, such as P7B-PKCS#7, PFX-PKCS#12, or DER.
In these cases, we need to convert the certificate into a PEM file. To do this, there are two options:
- To convert the file using an online tool, like SSL Converter from SSL Shopper
- To convert the certificate using OpenSSL commands
For the first path, we need to upload the file and let the website convert it automatically, while the second path needs special commands to be performed. Here are the commands to convert DER, P7B, and PFX files to PEM.
- Convert CER to PEM:Convert a DER file (.crt .cer .der) to PEM : openssl x509 -inform der -in certificate.cer -out certificate.pem
- Convert CRT to PEM:Convert a DER file (.crt .cer .der) to PEM : openssl x509 -inform der -in certificate.cer -out certificate.pem
- Convert PEM to DER: Convert a PEM file to DER : openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PKCS12 to PEM
- Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes. We can add -nocerts to only output the private key or add -nokeys to only output the certificates.
- Convert a PEM certificate file and a private key to PKCS#12 (.pfx .p12) :openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Difference between PEM file and DER file
If the certificate is in text format, then it is in PEM format.We can read the contents of a PEM certificate (cert.crt) using the ‘openssl’ command on Linux or Windows as follows: openssl x509 -in cert.crt -text
If the file content is binary, the certificate could be DER. To find out the format, run the following ‘openssl’ commands to open the certificate: openssl x509 -in cert.crt -inform DER -text