Working With PEM Files

Last Update: Rob
working with pem files
PEM certificates are used by web servers (OpenSSL and other tools). The PEM format stands for Privacy Enhanced Mail.

In fact PEM is not a certificate, but a solution to encode data.

Open SSL and other SSL tools use it as a standard format. A .pem file can include the public certificate only or the whole certificate chain.

PEM is not the only container format. There is also:

  • .csr – Certificate Signing Request (PKCS10 format)
  • .key – Contains the private key only.
  • .pfx – Other formats .pkcs12, .p12
  • .crt – Sometimes a .pem is a .crt

The format can be used in rich text documents (for example emails) and ascii, making it easy to copy paste the contents of PEM files.
A PEM file is in fact a base64 (ASCII) encoded block that start with:

-----BEGIN CERTIFICATE-----

and ends with 

-----END CERTIFICATE-----

Here is an example:

-----BEGIN ENCRYPTED PRIVATE KEY-----
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZWxpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3RydWQgZXhlcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXggZWEgY29tbW9kbyBjb25zZXF1YXQ=
-----END ENCRYPTED PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZWxpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3RydWQgZXhlcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXggZWEgY29tbW9kbyBjb25zZXF1YXQ=
-----END CERTIFICATE-----

How To Copy PEM Certificates

There are a few things that you have to take into consideration when copy pasting a certificate.

The key or certificate has to start with “—–BEGIN CERTIFICATE—–” and end with “—–END CERTIFICATE—–“.
Make sure you use the correct form of the dash symbols, otherwise you can break the code. The correct dash is “—–”.
You have to use the right form of line termination when saving the code. For example PEM files use unix way to terminate the line.
Some editors may use the windows way (two character line).

If you want a unix command line and you saved the pem file in windows, then you can use the translate tool. This will remove the unnecessary line termination added in windows.

$ tr -d ‘\r’ < old.pem > new.pem

A PEM file can contain a few keys and a number of certificates, for example:

  • Public key
  • Private key
  • Root certificate
It’s good practice no to store everything is one PEM file. You can make multiple files where each one contains only a part of the code. For example you could have a file with the key only.

When working with PEM files make sure you follow the steps mentioned above. Split up the PEM files by copying a part of the file, including the header and footer of the code. Put it in a new file.

In case you want to separate the key from all other partners then the file would looke something like this:

-----BEGIN ENCRYPTED PRIVATE KEY-----
TG9yZW0gaXBzdW0gZG9sb3Igc2l0IGFtZXQsIGNvbnNlY3RldHVyIGFkaXBpc2NpbmcgZWxpdCwgc2VkIGRvIGVpdXNtb2QgdGVtcG9yIGluY2lkaWR1bnQgdXQgbGFib3JlIGV0IGRvbG9yZSBtYWduYSBhbGlxdWEuIFV0IGVuaW0gYWQgbWluaW0gdmVuaWFtLCBxdWlzIG5vc3RydWQgZXhlcmNpdGF0aW9uIHVsbGFtY28gbGFib3JpcyBuaXNpIHV0IGFsaXF1aXAgZXggZWEgY29tbW9kbyBjb25zZXF1YXQ=
-----END ENCRYPTED PRIVATE KEY-----
Page Updated: February 7, 2019

2 thoughts on “Working With PEM Files

Leave a Reply

Your email address will not be published. Required fields are marked *