When working with SSL/TLS certificates on Linux servers, you'll encounter several file formats:
- .key files: Contain private keys in either PEM or DER format
- .csr files: Certificate Signing Requests in PEM format
- .pem files: Base64 encoded container format for certificates/keys
PEM (Privacy Enhanced Mail) files are the most common format you'll work with. They contain:
-----BEGIN CERTIFICATE----- [Base64-encoded data] -----END CERTIFICATE-----
Or for private keys:
-----BEGIN RSA PRIVATE KEY----- [Base64-encoded data] -----END RSA PRIVATE KEY-----
| Format | Contents | Usage |
|---|---|---|
| .key | Private key | Server configuration |
| .csr | Certificate request | Submitting to CA |
| .pem | Certificates/keys | Multi-purpose container |
Generating a new private key and CSR:
openssl genrsa -out server.key 2048 openssl req -new -key server.key -out server.csr
Converting between formats:
# PEM to DER openssl x509 -in cert.pem -outform der -out cert.der # DER to PEM openssl x509 -inform der -in cert.der -out cert.pem
- Always protect private key files (.key) with proper permissions (600)
- Use PEM format for most server configurations (Apache/Nginx)
- Keep CSR files until certificate is issued and verified
- Convert between formats only when necessary
When working with OpenSSL and server certificates, you'll encounter several file formats:
.pem- Privacy Enhanced Mail (base64 encoded).key- Private key file.csr- Certificate Signing Request.crtor.cer- Certificate file
PEM (Privacy Enhanced Mail) is the most common format for certificates and keys. Despite its name, it's not just for email - it's become the standard container format for many cryptographic objects.
Key characteristics:
- Base64 encoded ASCII text
- Contains header and footer lines (-----BEGIN...-----)
- Can contain certificates, private keys, or both
- Human-readable and easy to transfer
| Format | Contents | Typical Use |
|---|---|---|
| .pem | Certificate chain, private key, or both | Apache config, client certificates |
| .key | Private key (PEM or DER format) | Server configuration |
| .csr | Certificate Signing Request | Submitting to CA for certificate |
| .crt/.cer | Certificate (PEM or DER format) | Server/client certificates |
Here's how to generate and convert between formats:
Generate a private key (PEM format)
openssl genpkey -algorithm RSA -out private.key -pkeyopt rsa_keygen_bits:2048
Create a CSR from existing private key
openssl req -new -key private.key -out request.csr
Convert PEM to DER
openssl x509 -in certificate.pem -outform der -out certificate.der
View PEM file contents
openssl x509 -in certificate.pem -text -noout
Apache/Nginx configuration: Typically uses PEM files for both certificate and private key.
Java KeyStores: Requires PKCS12 format, which can be converted from PEM:
openssl pkcs12 -export -in certificate.pem -inkey private.key -out keystore.p12
Windows servers: Often prefer PFX/PKCS12 or DER formats.
- Always protect private key files (.key) with proper permissions (600)
- PEM files containing private keys should be kept secure
- CSR files don't contain private keys and can be shared safely
- Consider encrypting private keys with a passphrase
Q: Can I rename .pem to .crt?
A: Yes, if it contains a certificate. The extension doesn't change the content.
Q: How to identify a file's actual content?
A: Use file command or OpenSSL commands to inspect contents.
Q: What's inside a typical PEM file?
A: It might contain:
-----BEGIN CERTIFICATE----- [base64 encoded data] -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- [base64 encoded data] -----END RSA PRIVATE KEY-----