Table of Contents

Privacy-Enhanced Mail (PEM) (OpenSsh format)

About

Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..).

The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported via e.g. … E-mail. (ie The M is PEM)

The PEM format is the format of OpenSSH

It's not a keystore format.

Example

The header and footer lines in the PEM format defines what type of PEM file it is. 

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE REQUEST-----
 -----END CERTIFICATE REQUEST-----

but may also be: 

-----BEGIN NEW CERTIFICATE REQUEST-----
 -----END NEW CERTIFICATE REQUEST-----


-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----

Format

The header and footer lines in the PEM format defines what type of content.

Management

Create

How to see if a pem key is encrypted

You can see if the key is encrypted, in the header of the key: 

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC

where:

Export

with Portecle > Right Click on the Entry > Export

Porte Cle Keystore Pem

To

DER format

to Distinguished Encoding Rules (DER) 

openssl rsa –in file.der –inform DER –out file.pem –outform PEM

PPK (Putty)

PEM to Key - ppk key format:

Pem To Ppk Putty Gen

Read

with Portecle

Csr Portecle Read

Concat

The following command uses:

to create a PEM keystore named keystore.pem: 

cat keystore.crt keystore.key >> keystore.pem

Decrypt

verify that you have a PEM format 

cat encrypted.key

-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxx
-----END RSA PRIVATE KEY-----

then with Openssl (libcrypto) and the rsa algo, you can suppress the passphrase with the following command: 

openssl rsa -in [encrypted.key] -out [unencrypted.key]

Enter pass phrase for encrypted.key.pem:
writing RSA key

Read

openssl x509 -in cert.pem -text -noout