What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

SSL has been around for long enough you'd think that there would be standards for how these things would work. And you're right, there are. Too many standards as it happens. So this is what I know, and I'm sure others will chime in.

• .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
• .pem This is the public-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/servercerts. This is also the format used for Certificate Authority certificates (/etc/ssl/certs)
• .key This is the private-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.
• .pkcs12 .pfx .p12 A passworded container format that contains both public and private certificate pairs. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

I hope this helps.

Edit: A couple other file-types:

• .der Fills the same function as a .pem file, but a different format. OpenSSL can convert these to .pem. I've only ever run into them in the wild with Novell's eDirectory certificate authority.
• .cert .cer A .pem file with a different extension. This extension is recognized by Windows Explorer as a certificate, which .pem is not.
• .crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

PEM on it's own isn't a certificate, it's just a way of encoding data. X.509 certificates are one type of data that is commonly encoded using PEM.

PEM is a X.509 certificate (whose structure is defined using ASN.1), encoded using the ASN.1 DER (distinguished encoding rules), then run through Base64 encoding and stuck between plain-text anchor lines (BEGIN CERTIFICATE and END CERTIFICATE).

You can represent the same data using the PKCS#7 or PKCS#12 representations, and the openssl command line utility can be used to do this.

The obvious benefits of PEM is that it's safe to paste into the body of an email message because it has anchor lines and is 7-bit clean.

RFC1422 has more details about the PEM standard as it related to keys and certificates.

Sometimes a .crt file is already a .pem. See: http://stackoverflow.com/questions/991758/openssl-pem-key