It is the binary format. A way to encode ASN.1 syntax in binary.
The first byte in the file should be a
0 character (U+0030)
Defined in RFCs 1421 through 1424, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files
/etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM.
The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
It is like the following container format, where
??? is the actual name of key, for instance
-----BEGIN ??? ----- -----END ??? -----
This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in
The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.
cert, cer, crt
A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
some file recognition
Public key formats supported
- PKCS#1 RSAPublicKey* (PEM header:
BEGIN RSA PUBLIC KEY)
- X.509 SubjectPublicKeyInfo** (PEM header:
BEGIN PUBLIC KEY)
Encrypted private key formats supported
- PKCS#8 EncryptedPrivateKeyInfo** (PEM header:
BEGIN ENCRYPTED PRIVATE KEY)
- PKCS#12 (PFX) with PKCS-8ShroudedKeyBag
Private key formats supported (unencrypted)
- PKCS#1 RSAPrivateKey** (PEM header:
BEGIN RSA PRIVATE KEY)
- PKCS#8 PrivateKeyInfo* (PEM header:
BEGIN PRIVATE KEY)
- JSON Web Key (JWK) Plaintext RSA Private Key
Create RSA key pair
You may refer to some Command
generate private key
This operation requires a password, this will generate a
traditional format, which is
openssl genrsa -aes256 -out private.pem 2048
You will need to provide a password, this is required as it is. It will be removed by the following command.
openssl rsa -in private.pem -outform PEM -out private_unencrypted.pem
get public key from private key
You can use both encrypted and unencrypted private key to generate public key.
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
convert pkcs#1 to pkcs#8
The original format is the called
traditional format, essentially is
PKCS#8 is a more stable and standard format, a recommended format.
The command below will convert private key in format
-nocrypt so no password is required.
openssl pkcs8 -topk8 -nocrypt -in private.pem -out pkcs8.pem