Learnitweb

What is a PEM file?

1. Introduction

Privacy-Enhanced Mail (PEM) is a widely used file format for storing and transmitting cryptographic keys, certificates, and related data. It originated from a set of 1993 IETF standards aimed at defining “privacy-enhanced mail” for secure email communication. While the original privacy-enhanced mail protocol is largely obsolete, the PEM file format has become a de facto standard for encoding cryptographic information in a text-based, Base64-encoded format.

2. What is in PEM file?

Many cryptography standards rely on ASN.1 (Abstract Syntax Notation One) to define their data structures and use Distinguished Encoding Rules (DER) for serializing these structures. However, since DER produces binary output, transmitting such files through systems that support only ASCII, such as electronic mail, can be problematic.
The PEM format solves this problem by encoding the binary data using base64. PEM also defines a one-line header, consisting of -----BEGIN, a label, and -----, and a one-line footer, consisting of -----END, a label, and –----. The label determines the type of message encoded. Common labels include CERTIFICATE, CERTIFICATE REQUEST, PRIVATE KEY and X509 CRL.

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

PEM data is commonly stored in files with a “.pem” suffix, a “.cer” or “.crt” suffix (for certificates), or a “.key” suffix (for public or private keys).

The label inside a PEM file provides a more accurate indication of the type of data it contains compared to the file’s suffix, as a single .pem file can store various types of data. Specifically, PEM refers to the Base64 encoding and the text-based header/footer wrappers for the binary content, but it does not define the type or format of the underlying binary data. As a result, a PEM file can hold “almost anything” that is Base64-encoded and enclosed between BEGIN and END lines, such as keys, certificates, or other cryptographic objects.

OpenSSL supports a variety of standard formats in addition to .pem, including Distinguished Encoding Rules (DER) and X.509. OpenSSL has several utility functions that can convert these formats.

PEM is just a standard; they contain text, and the format dictates that PEM files start with…

-----BEGIN <type>-----

…and end with:

-----END <type>-----

Everything in between is base64 encoded (uppercase and lowercase letters, digits, +, and /). This forms a block of data that can be used in other programs. A single PEM file can contain multiple blocks.

The PEM file will indicate its intended use in the header, which specifies the type of data it contains. For example, a PEM file might start with one of the following headers:

Certificate:

-----BEGIN CERTIFICATE-----
(Base64-encoded certificate data)
-----END CERTIFICATE-----

Private Key:

-----BEGIN PRIVATE KEY-----
(Base64-encoded private key data)
-----END PRIVATE KEY-----

Public Key:

-----BEGIN PUBLIC KEY-----
(Base64-encoded public key data)
-----END PUBLIC KEY-----

Certificate Request:

-----BEGIN CERTIFICATE REQUEST-----
(Base64-encoded certificate request data)
-----END CERTIFICATE REQUEST-----

These headers (and their corresponding footers) clearly indicate the type of data enclosed within the PEM file, allowing tools to interpret and process the content accordingly.

3. PEM Files with SSL Certificates

PEM files are used to store SSL certificates and their associated private keys. Multiple certificates are in the full SSL chain, and they work in this order:

The end-user certificate, which is assigned to your domain name by a certificate authority (CA). This is the file you use in nginx and Apache to encrypt HTTPS. Up to four optional intermediate certificates, given to smaller certificate authorities by higher authorities. The root certificate, the highest certificate on the chain, which is self-signed by the primary CA.