About
Privacy-Enhanced Mail (PEM) is a file formats for cryptographic material (key, certificate, ..).
The PEM format is the DER format encoded in base64 with additional header and footer lines to be transported via e.g. … E-mail. (ie The M is PEM)
The PEM format is the format of Openssl ssh
It's not a keystore format.
Format
The header and footer lines in the PEM format defines what type of PEM file it is.
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
but may also be:
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
Management
Create
How to see if a pem key is encrypted
You can see if the key is encrypted, in the header of the key:
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-256-CBC
where:
- Proc-Type: 4,ENCRYPTED indicates the key is encrypted.
- DEK-Info: xxx indicates the cipher used for encryption.
Export
with Portecle > Right Click on the Entry > Export
To
DER format
to Distinguished Encoding Rules (DER)
openssl rsa –in file.der –inform DER –out file.pem –outform PEM
PPK (Putty)
PEM to Key - ppk key format:
- Open Putty Key Generator
- File > Import
- Change the key comment
- And save it as a key
Read
with Portecle
Concat
The following command uses:
- a Pem file named with a certificate (CRT) named keystore.crt
- and a pem key file named keystore.key
to create a PEM keystore named keystore.pem:
cat keystore.crt keystore.key >> keystore.pem
Decrypt
verify that you have a PEM format
cat encrypted.key
-----BEGIN RSA PRIVATE KEY-----
xxxxxxxxxx
-----END RSA PRIVATE KEY-----
then with Openssl (libcrypto) and the rsa algo, you can suppress the passphrase with the following command:
openssl rsa -in [encrypted.key] -out [unencrypted.key]
Enter pass phrase for encrypted.key.pem:
writing RSA key
Read
openssl x509 -in cert.pem -text -noout