Jay Taylor's notes

back to listing index

security - What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? - Server Fault

[web search]
Original source (serverfault.com)
Tags: ssl encryption certificates pem security serverfault.com
Clipped on: 2012-11-06

I'm pretty much a n00b at system administration and I am responsible for maintaining two Debian servers. Every time I have to do anything with security certificates, I google for tutorials and beat away until it finally works. However, in my searchings I often come across different file formats (.key, .csr, .key, .pem) but I've never been able to find a good explanation of what each file format's purpose is, etc.

I was wondering if the good folks here at serverfault could provide some clarification on this matter?

Image (Asset 1/14) alt= 14.5k1643
asked May 19 '09 at 2:24
Image (Asset 2/14) alt= 66421115

75% accept rate
add comment

3 Answers

up vote 74 down vote accepted

SSL has been around for long enough you'd think that there would be standards for how these things would work. And you're right, there are. Too many standards as it happens. So this is what I know, and I'm sure others will chime in.

  • .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
  • .pem This is the public-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/servercerts. This is also the format used for Certificate Authority certificates (/etc/ssl/certs)
  • .key This is the private-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.
  • .pkcs12 .pfx .p12 A passworded container format that contains both public and private certificate pairs. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.

I hope this helps.

Edit: A couple other file-types:

  • .der Fills the same function as a .pem file, but a different format. OpenSSL can convert these to .pem. I've only ever run into them in the wild with Novell's eDirectory certificate authority.
  • .cert .cer A .pem file with a different extension. This extension is recognized by Windows Explorer as a certificate, which .pem is not.
  • .crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.
answered May 19 '09 at 2:49
Image (Asset 3/14) alt= 63.2k369154
7 upvote
The great thing about standards is that there are so many to choose from... – squillman May 19 '09 at 4:05
Put another way, Standards are great - lets have many of those! – gimel May 19 '09 at 7:05
4 upvote
.crt is another common extension for .cert and .cer – David Pashley Jun 6 '09 at 8:08
10 upvote
PEM is a file format that may consist of a certificate (aka. public key), a private key or indeed both concatenated together. Don't pay so much attention to the file extension. – Dan Carley Jun 25 '09 at 16:29
add comment

PEM on it's own isn't a certificate, it's just a way of encoding data. X.509 certificates are one type of data that is commonly encoded using PEM.

PEM is a X.509 certificate (whose structure is defined using ASN.1), encoded using the ASN.1 DER (distinguished encoding rules), then run through Base64 encoding and stuck between plain-text anchor lines (BEGIN CERTIFICATE and END CERTIFICATE).

You can represent the same data using the PKCS#7 or PKCS#12 representations, and the openssl command line utility can be used to do this.

The obvious benefits of PEM is that it's safe to paste into the body of an email message because it has anchor lines and is 7-bit clean.

RFC1422 has more details about the PEM standard as it related to keys and certificates.

answered Jun 6 '09 at 15:19
Image (Asset 4/14) alt= 3,274718
add comment

Sometimes a .crt file is already a .pem. See: http://stackoverflow.com/questions/991758/openssl-pem-key

answered Mar 15 at 0:24
Image (Asset 5/14) alt= 411
add comment

protected by Zoredache Mar 15 at 16:57

This question is protected to prevent "thanks!", "me too!", or spam answers by new users. To answer it, you must have earned at least 10 reputation on this site.

Not the answer you're looking for? Browse other questions tagged or ask your own question.


 × 3375
 × 1960
 × 45
 × 5


3 years ago


71174 times


7 months ago

67 People Chatting

The Comms Room

5 mins ago - Mark Henderson
Image (Asset 6/14) alt=
Image (Asset 7/14) alt=