Privacy-Enhanced Mail (PEM) (OpenSsh format)

About

Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..).

The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported via e.g. … E-mail. (ie The M is PEM)

The PEM format is the format of OpenSSH

It's not a keystore format.

Example

The header and footer lines in the PEM format defines what type of PEM file it is. 

-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----


-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----


-----BEGIN CERTIFICATE REQUEST-----
 -----END CERTIFICATE REQUEST-----

but may also be: 

-----BEGIN NEW CERTIFICATE REQUEST-----
 -----END NEW CERTIFICATE REQUEST-----


-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----

Format

The header and footer lines in the PEM format defines what type of content.

Management

Create

How to see if a pem key is encrypted

You can see if the key is encrypted, in the header of the key: 

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC

where:

  • Proc-Type: 4,ENCRYPTED indicates the key is encrypted.
  • DEK-Info: xxx indicates the cipher used for encryption.

Export

with Portecle > Right Click on the Entry > Export

Porte Cle Keystore Pem

To

DER format

to Distinguished Encoding Rules (DER) 

openssl rsa –in file.der –inform DER –out file.pem –outform PEM

PPK (Putty)

PEM to Key - ppk key format:

  • Open Putty Key Generator
  • File > Import

Pem To Ppk Putty Gen

  • Change the key comment
  • And save it as a key

Read

with Portecle

Csr Portecle Read

Concat

The following command uses:

  • a Pem file named with a certificate (CRT) named keystore.crt
  • and a pem key file named keystore.key

to create a PEM keystore named keystore.pem: 

cat keystore.crt keystore.key >> keystore.pem

Decrypt

verify that you have a PEM format 

cat encrypted.key

-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxx
-----END RSA PRIVATE KEY-----

then with Openssl (libcrypto) and the rsa algo, you can suppress the passphrase with the following command: 

openssl rsa -in [encrypted.key] -out [unencrypted.key]

Enter pass phrase for encrypted.key.pem:
writing RSA key

Read

openssl x509 -in cert.pem -text -noout




Discover More
Certbot (letsencrypt | letsencrypt-auto)

Certbot is an acme client (Let’s Encrypt CA) (or any other CA) to issue SSL certificates. Certbot is an easy-to-use client that fetches a certificate from Let’s Encrypt—an open certificate authority...
Certificate Validity Period Not Before Not After Portecle
Certificate and chain verification

A certificate check is an authentication known as Sender Authentication (or asymmetric authentication). The signature of the certificate is verified with the public key to check if it was signed...
Public Key Crypto Pair Key Creation
Cryptographic - Private Key

This article talks the secret known as the private key in a asymmetric cryptographic scheme. A private key is a cryptographic key that is private (that you should be kept secret). This page is how...
Cryptography - CER file format (Certificate)

.CER files are PEM file with the cer extension to indicate that they hold a certificate. They have the public key, they don't have the private key in a Public Key Cryptography model The format is defined...
Cryptography - JKS (Java Keystore)

In the JDK implementation of JKS, a keystore may contain both: key entries and trusted certificate entries. command line: Gui: Porte-cle: (download)...
Cryptography - Java cacerts truststore (CA Certificates)

cacerts is the default truststore of Java. It comes with a Java Installation. It's in the jks format and contains CA certificate. If your server’s certificate is signed by a recognized CA, the default...
Portecle New Keystore
Cryptography - Keystore (KS)

A keystore is a database of key material. ie: key LDAP identity You only need it: if you are a server that want to implements SSL, or if the server requires client authentication. A keystore...
Cryptography - PKCS (Public Key Cryptography Standards)

PKCS #X (Public Key Cryptography Standards) are a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. They defined the file format of key...
Cryptography - PKCS12 (PFX files)

PKCS12 is a pkcs version 12. PKCS12 (ie p12 extension) is intended to store both: the private key and public certificate parts It has the capability of being password protected to provide some...
Cryptography - Storage of key material

This page lists the datastore / file of cryptographic material such as: key LDAP identity certificat signing request and more. Key and key pair file format is the binary...



Share this page:
Follow us:
Task Runner