Getting Started with .Pem File
The .Pem file or Privacy Enhanced Mail files contain cryptographic keys and certificates encoded in Base64 ASCII format. They are used extensively in Secure Socket Layer (SSL) and Transport Layer Security (TLS) protocols to implement public key infrastructure (PKI) and provide secure communications over the internet.
The .pem file format can include public keys, private keys, certificates, encrypted private keys, and certificate signing requests—basically, the different components involved in public key cryptography and certificate management. The contents are encoded in a format that is printable and portable across different operating systems.
Understanding .pem files is important for system administrators and developers who implement and manage SSL/TLS connections and other PKI applications. It helps in tasks like generating certificate signing requests, creating and installing SSL certificates for websites, implementing client certificate authentication, etc.
Key Takeaways
- .pem files contain cryptographic keys and certificates encoded in Base64 ASCII format.
- They are used for authentication in SSL/TLS connections and other public key infrastructure (PKI) applications.
- .pem files can contain public keys, private keys, and certificates – including self-signed certificates.
- They differ from other key formats, such as .key, .crt, .csr, .p12, etc., in terms of content and encoding.
- To create a .pem file, the openssl command can be used to generate keys and certificates and encode them in .pem format.
- To open a .pem file, text editors like Notepad or VI can be used. The contents can also be viewed using openssl commands.
- Different applications may require the .pem file to contain only specific components like the public key or certificate.
What Exactly is a .pem File?
- A .pem file contains public keys, private keys, certificates, and other components used in public key cryptography encoded in Base64 ASCII format.
- The name PEM stands for Privacy Enhanced Mail and comes from the original implementation of securing emails using public key encryption.
- They are widely used to implement Secure Socket Layer (SSL) and Transport Layer Security (TLS) for internet security and other public key infrastructure (PKI) applications.
- .pem files encode the binary keys and certificates in a portable and printable ASCII format before encryption.
- This Base64 encoded Format allows the keys and certificates to be transmitted easily over text-based mediums and systems across different platforms.
- They can include public keys, private keys, certificates, encrypted private keys, and certificate signing requests.
- Public keys contain only the public part of an asymmetric key pair and are distributed openly.
- Private keys contain the private part of a key pair and must be kept secure. They can be stored encrypted in .pem files.
- Certificates link public keys to identities using signatures from certificate authorities.
- Certificate signing requests (CSRs) are sent to CAs to obtain identity certificates.
What are the Components of .pem File
A .pem file can contain one or more of these components depending on the specific use case:
Public Key
A PEM file can contain just the public key part of an asymmetric cryptography key pair in an “unencrypted” format. For example, the public key file for a certificate signing request.
The public key contains mathematical values that can encrypt data or verify signatures created by the corresponding private key. However, the public key cannot decrypt data or create signatures.
Private Key
A PEM file can contain just the private key part of an asymmetric cryptography key pair. However, unlike public keys, private keys are stored in an encrypted format for security reasons. A passphrase is required to decrypt the private key before use.
Certificate
PEM files commonly contain digital certificates used for identity and security. The certificate can include the public key along with identity information like the organization name and domain name. Certificates are digitally signed by a certificate authority to validate the identity.
Encrypted Private Key
For better security, private keys can be encrypted with a passphrase before being stored in the PEM file. This prevents unauthorized access to private keys for use in decryption and digital signatures. The encrypted key is decrypted at the time of use by providing the passphrase.
Certificate Signing Request (CSR)
A CSR contains information required to apply for an identity certificate, such as the public key, organization name, country, and domain name. It is sent to the certificate authority for signing. The CSR in PEM format contains the information in an ASCII printable encoding.
The different components serve important complementary purposes:
- Public keys are contained in certificates and used in encryption algorithms.
- Private keys generate signatures and decrypt data.
- Certificates validate identity and link public keys to owners.
- CSRs allow identity certificates to be obtained from certificate authorities.
How .pem Files Differ from Other Certificate/Key File Formats
.pem files have some similarities and differences compared to other common SSL certificate file formats, such as .key, .crt, .csr, and .p12. These distinctions are important to understand from an interoperability and usage perspective.
.key Files
- .key files also contain public and private key pairs like .pem files. However, they store the keys in binary DER encoded Format rather than Base64 ASCII encoding used in .pem files.
- .key files contain only the public or private key. .pem files can include additional components like certificates.
- .key files with private keys may require a passphrase for decryption. However, the encryption mechanism can be different from that of .pem files.
- .key files are compatible with both Windows and Linux systems. .pem files have better portability across different platforms.
.crt Files
- .crt files only contain certificates. .pem files can contain keys, certificates, and other components.
- .crt files use binary DER encoding like .key files. .pem files use Base64 ASCII encoding.
- .crt files may only support X.509 certificates. .pem files support various certificate formats.
- .crt files containing public keys can be easily distributed. Due to private keys, .pem files require more care when sharing.
.csr Files
- .csr files contain certificate signing requests. .pem files contain keys and certificates.
- Both .csr and .pem files use Base64 encoding for portability.
- .csr files are submitted to certificate authorities to obtain identity certificates. .pem files contain the issued certificates.
- .pem files can store certificate chains. .csr files only contain single certificate requests.
.p12/.pfx Files
- .p12 or .pfx files can contain private keys, public keys, and certificates. They are similar to .pem files but in binary Format.
- .pem files use Base64 ASCII encoding. .p12 uses binary encoding with DER and PKCS#12 standards.
- .p12 files support only one private key and associated certificates. .pem files can hold multiple keys and certificates.
- .p12 files require a passphrase for the private key. The passphrase may be optional in .pem files.
- .p12 files are compatible with both Windows and Linux. .pem files are more portable across different platforms.
How to Create a .pem File using OpenSSL
OpenSSL is a popular open-source toolkit for working with cryptographic keys, certificates, and formats like .pem files. It is available for most operating systems and provides a robust set of OpenSSL commands for generating keys, certificates, CSRs and converting between different formats.
Here are the typical steps to create a .pem file using OpenSSL:
Generate the Public and Private Key Pair
The private and public key pair can be generated using the openssl genrsa command. For example, to generate a 2048-bit RSA key pair:
openssl genrsa -out private.key 2048
This generates the private key in the private.key file. The corresponding public key is inherently part of this key pair.
Generate a Certificate (Self-signed or CA-signed)
To generate a new self-signed certificate, the openssl req and x509 commands can be used:
openssl req -new -x509 -key private.key -out certificate.crt
For CA-signed certificates, first create a CSR and submit it to the Certificate Authority to obtain the signed certificate.
Convert Keys and Certificates to .pem Format.
The private key and certificate can be converted to .pem format using the following OpenSSL commands:
# Convert private key to PEM
openssl rsa -in private.key -out private.pem
# Convert certificate to PEM
openssl x509 -in certificate.crt -out certificate.pem
Now you have the private key and certificate in .pem format that is suitable for use in SSL/TLS and other PKI applications. The public key is inherently part of the certificate.
Bundle Components into a Single .pem File (optional)
For convenience, the public key, private key, and certificates can be concatenated into a single .pem file.
For example, to bundle a private key and certificate together:
cat private.pem certificate.pem > bundle.pem
This creates a bundle. ThePEMm file contains both the private key and certificate.
Some applications need the components in separate .pem files, while some expect a bundled .pem file. Check the requirements before using the .pem file.
How to View and Inspect a .pem File
.pem files are text files containing Base64-encoded data, so they can be easily viewed in a text editor. However, the encoded output can be hard to understand.
Here are some ways to inspect and interpret the contents of a .pem file:
Viewing the Raw Contents
Any text editor, such as Notepad on Windows or vim/nano on Linux, can be used to view and display the raw contents of the .pem file in Base64 format.
While not human-readable, the initial header text indicates whether the .pem file contains CERTIFICATE, PRIVATE KEY, RSA PRIVATE KEY, ENCRYPTED PRIVATE KEY data, and more based on the use case.
Decoding with OpenSSL
The openssl command can be used to decode the Base64 data and display the .pem contents in a human-readable form:
openssl rsa -in private.pem -noout -text
openssl x509 -in certificate.pem -noout -text
This will properly decode and format the output into key details, certificate fields, signatures, and other relevant information.
Parsing with PHP
The PHP openssl library can also decode .pem file content:
$key = openssl_pkey_get_private(file_get_contents('private.pem'));
print_r($key);
$cert = openssl_x509_parse(file_get_contents('certificate.pem'));
print_r($cert);The object output contains parsed details from the private key or certificate content.
How to Convert Between .pem and Other Certificate/Key Formats
Since .pem files are Base64 encoded, they can be easily interconverted with other key and certificate formats like .key, .crt, .p12, etc. This provides flexibility in terms of compatibility with different servers, applications, and operating systems.
Here are some common OpenSSL commands to convert to and from .pem format:
Convert DER/Binary Certificate to .pem.
openssl x509 -inform der -in certificate.crt -out certificate.pem
Convert .pem Certificate to DER/Binary.
openssl x509 -outform der -in certificate.pem -out certificate.crt
Convert PKCS#12 Certificate to .pem
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
Convert .pem Certificate to PKCS#12
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.pem -certfile morecerts.pem
Convert PKCS#8 Private Key to PKCS#1 .pem
openssl pkcs8 -topk8 -in private.key -out private.pem
Convert PKCS#1 Private Key to PKCS#8
openssl rsa -in private.pem -out private8.key
Similarly, PKCS#8 private keys can be converted to .pem format and vice versa.
This allows flexible interconversion between different key and certificate formats. The right encoding can be used depending on the source and destination applications.
For example, Apache and Linux require .pem files, Windows likes .p12, Java prefers .jks, and so on. The OpenSSL cli provides an easy way to convert between these formats.
Programming languages like PHP, Python, and Java also provide libraries for loading and converting between different certificates and key encodings.
How to Open .pem Files on Windows, Linux, and Mac
.pem files can be easily opened across different operating systems due to their portable Base64 ASCII encoding. Here is how to open .pem files on the most common platforms:
On Windows
- Double-click to open the .pem file in a text editor like Notepad. This allows viewing of the raw contents.
- For certificates, double-click to import them into the Windows certificate store. They get added to the Other People section.
- Use the CertUtil tool to dump certificate contents in human-readable form.
- Windows Cryptographic Service Provider (CSP) can also parse .pem file contents programmatically.
- Tools like OpenSSL and PHP can be installed on Windows to work with .pem files.
On Linux
- Text editors like vi or nano can open .pem files, but they only show the encoded data.
- The OpenSSL CLI provides rich support for inspection and conversion of .pem files.
- Most programming languages, like Python and PHP, run on Linux and can programmatically decode .pem file contents.
- On Red Hat and similar distros, the Certutil tool is also available as Cryptutil.
- The .pem file extension may need to be associated with text editors in Preferences if it does not open by default.
On Mac OS
- Use text editors like TextEdit to open the .pem file and view the raw contents.
- Install OpenSSL using Homebrew and use it to parse/process .pem files.
- Import .pem certificates into the Mac Keychain Access application.
- MacOS has native API support for processing .pem files through CFData types.
- Programming languages like Python and Ruby can also handle .pem files on Mac.
Final Thoughts
PEM files are useful for storing cryptographic keys and certificates in a portable format. They contain Base64 encoded data and have a .pem extension. PEM files can be created using various tools like OpenSSL.
To create a PEM file, the key or certificate data needs to be converted to Base64 and written with PEM delimiters. PEM files can be opened with any text editor, but the contents will be unreadable without decoding. To use PEM files, programming languages provide functions to parse the Base64 data and extract the key or certificate information.
Frequently Asked Questions
What encoding algorithm is used in .pem files?
.pem files use Base64 encoding to represent binary keys and certificates in an ASCII printable format for portability.
Can I edit the contents of a .pem file?
No, you should not edit the contents of an existing .pem file. They contain cryptographic key data that can be corrupted. Instead, you need to properly generate new keys and certificates.
What are some applications that use .pem files?
.pem files are widely used in setting up SSL certificates for web servers, email encryption and signing (S/MIME), client certificate authentication, OpenSSL, and other programs relying on public key infrastructure.
How can I view the contents of a certificate .pem file?
To view certificate contents in human-readable form, run openssl x509 -text -noout -in cert.pem. Alternatively, import the .pem file into Certificate Manager on Windows, Mac Keychain on MacOS, or browsers like Chrome.
How are keys protected in a .pem file?
Private keys can be stored in encrypted Format within a .pem file. A passphrase is required to decrypt the private key before it can be used. Public keys do not require encryption.
Can I use Notepad to open a .pem file with a private key?
You should avoid opening .pem files containing private keys in plain text editors like Notepad, which expose the full unencrypted contents. Use OpenSSL to parse privately.
What is the difference between .pem, .cer, and .der formats?
.pem uses Base64 ASCII encoding, .cer usually indicates X.509/DER certificate encoding in binary Format. .der is the binary DER certificate encoding commonly used on Windows.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
