Table of Contents

About

Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..).

The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported via e.g. … E-mail. (ie The M is PEM)

The PEM format is the format of Openssl ssh

It's not a keystore format.

Format

The header and footer lines in the PEM format defines what type of PEM file it is. 

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE REQUEST-----
 -----END CERTIFICATE REQUEST-----

but may also be: 

-----BEGIN NEW CERTIFICATE REQUEST-----
 -----END NEW CERTIFICATE REQUEST-----


-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----

Management

Create

How to see if a pem key is encrypted

You can see if the key is encrypted, in the header of the key: 

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC

where:

  • Proc-Type: 4,ENCRYPTED indicates the key is encrypted.
  • DEK-Info: xxx indicates the cipher used for encryption.

Export

with Portecle > Right Click on the Entry > Export

Porte Cle Keystore Pem

To

DER format

to Distinguished Encoding Rules (DER) 

openssl rsa –in file.der –inform DER –out file.pem –outform PEM

PPK (Putty)

PEM to Key - ppk key format:

  • Open Putty Key Generator
  • File > Import

Pem To Ppk Putty Gen

  • Change the key comment
  • And save it as a key

Read

with Portecle

Csr Portecle Read

Concat

The following command uses:

  • a Pem file named with a certificate (CRT) named keystore.crt
  • and a pem key file named keystore.key

to create a PEM keystore named keystore.pem: 

cat keystore.crt keystore.key >> keystore.pem

Decrypt

openssl rsa -in [encrypted.key] -out [unencrypted.key]

Enter pass phrase for encrypted.key.pem:
writing RSA key

Read

openssl x509 -in cert.pem -text -noout