Privacy-Enhanced Mail (PEM) (OpenSsh key format)

About

Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..).

The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported via e.g. … E-mail. (ie The M is PEM)

The PEM format is the format of Openssl ssh

It's not a keystore format.

Format

The header and footer lines in the PEM format defines what type of PEM file it is.

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE REQUEST-----
 -----END CERTIFICATE REQUEST-----

but may also be:

-----BEGIN NEW CERTIFICATE REQUEST-----
 -----END NEW CERTIFICATE REQUEST-----

-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----

Management

Create

How to see if a pem key is encrypted

You can see if the key is encrypted, in the header of the key:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC

where:

  • Proc-Type: 4,ENCRYPTED indicates the key is encrypted.
  • DEK-Info: xxx indicates the cipher used for encryption.

Export

with Portecle > Right Click on the Entry > Export

Porte Cle Keystore Pem

To

DER format

to Distinguished Encoding Rules (DER)

openssl rsa –in file.der –inform DER –out file.pem –outform PEM

PPK (Putty)

PEM to Key - ppk key format:

  • Open Putty Key Generator
  • File > Import

Pem To Ppk Putty Gen

  • Change the key comment
  • And save it as a key

Read

with Portecle

Csr Portecle Read

Concat

The following command uses:

  • a Pem file named with a certificate (CRT) named keystore.crt
  • and a pem key file named keystore.key

to create a PEM keystore named keystore.pem:

cat keystore.crt keystore.key >> keystore.pem

Decrypt

verify that you have a PEM format

cat encrypted.key
-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxx
-----END RSA PRIVATE KEY-----

then with Openssl (libcrypto) and the rsa algo, you can suppress the passphrase with the following command:

openssl rsa -in [encrypted.key] -out [unencrypted.key]
Enter pass phrase for encrypted.key.pem:
writing RSA key

Read

openssl x509 -in cert.pem -text -noout





Discover More
Certbot (letsencrypt | letsencrypt-auto)

Certbot is an acme client (Let’s Encrypt CA) (or any other CA) to issue SSL certificates. Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority...
Certificate Validity Period Not Before Not After Portecle
Certificat and chain verification

A certificate check is equivalent to an authentication. The signature of the certificate is verified with the public key to check if it was signed (issued) by a trusted party (usually a trusted...
Public Key Crypto Pair Key Creation
Cryptographic - Private Key

This article talks the secret known as the private key in a asymmetric cryptographic scheme. A private key is a cryptographic key that is private (that you should keep secret). This page is how to...
Cryptography - CER file format (Certificate)

.CER files are PEM file with the cer extension to indicate that they hold a certificate. They have the public key, they don't have the private key in a Public Key Cryptography model The format is defined...
Cryptography - JKS (Java Keystore)

In the JDK implementation of JKS, a keystore may contain both: key entries and trusted certificate entries. command line: Gui: Porte-cle: (download)...
Cryptography - Java cacerts truststore (CA Certificates)

cacerts is the default truststore of Java. It comes with a Java Installation. It's in the jks format and contains CA certificate. If your server’s certificate is signed by a recognized CA, the default...
Portecle New Keystore
Cryptography - Keystore (KS)

A keystore is a database of key material. ie: key LDAP identity You only need it: if you are a server that want to implements SSL, or if the server requires client authentication. A keystore...
Cryptography - PKCS (Public Key Cryptography Standards)

PKCS #X (Public Key Cryptography Standards) are a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. They defined the file format of key...
Cryptography - PKCS12 (PFX files)

PKCS12 is a pkcs version 12. PKCS12 (ie p12 extension) is intended to store both: the private key and public certificate parts It has the capability of being password protected to provide some...
Cryptography - Storage of key material

This page lists the datastore / file of cryptographic material such as: key LDAP identity certificat signing request and more. Key and key pair file format is the binary...



Share this page:
Follow us:
Task Runner