Privacy-Enhanced Mail (PEM) (OpenSsh key format)

About

Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..).

The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported via e.g. … E-mail. (ie The M is PEM)

The PEM format is the format of Openssl ssh

It's not a keystore format.

Format

The header and footer lines in the PEM format defines what type of PEM file it is.

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
 -----BEGIN CERTIFICATE REQUEST-----
 -----END CERTIFICATE REQUEST-----

but may also be:

 -----BEGIN NEW CERTIFICATE REQUEST-----
 -----END NEW CERTIFICATE REQUEST-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----

Management

Create

How to see if a pem key is encrypted

You can see if the key is encrypted, in the header of the key:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC

where:

  • Proc-Type: 4,ENCRYPTED indicates the key is encrypted.
  • DEK-Info: xxx indicates the cipher used for encryption.

Export

with Portecle > Right Click on the Entry > Export

To

DER format

to Distinguished Encoding Rules (DER)

openssl rsa –in file.der –inform DER –out file.pem –outform PEM

PPK (Putty)

PEM to Key - ppk key format:

  • Open Putty Key Generator
  • File > Import

  • Change the key comment
  • And save it as a key

Read

Concat

The following command uses:

  • a Pem file named with a certificate (CRT) named keystore.crt
  • and a pem key file named keystore.key

to create a PEM keystore named keystore.pem:

cat keystore.crt keystore.key >> keystore.pem

Decrypt

openssl rsa -in [encrypted.key] -out [unencrypted.key]
Enter pass phrase for encrypted.key.pem:
writing RSA key

Read

openssl x509 -in cert.pem -text -noout

Powered by ComboStrap