File formats: pem, pub, csr, crt

Posted by Steven

In this article, I want to explain some file formats used to hold cryptographic keys and certificates. It is not meant to be a complete list of file formats, but just the first article of a miniseries about JWT. Hence, this article is structured to highlight the steps needed to create the keys of an asymmetric private/public key pair.


The File Format

".pem" stands for "privacy enhanced mail" and dates back to the 1990s. It was created to format various (binary) data, including keys or certificates. To be able to send the binary data via mail, pem is Base64 encoded. Each line of content (between the first and last line) is 64 characters long, except for the last one which may be shorter.

Create a private key as .pem

The first step in working with asymmetric key pairs is to generate a private key. The example below uses a key length of only 512 bits for brevity. For production use, this should be at least 2048 bits.

  1. openssl genrsa -out private_key_in_pkcs1.pem 512

This generates the following RSA private key of 512 bits (your own generated key differs from this, of course):

  1. -----BEGIN RSA PRIVATE KEY-----
  2. MIIBOgIBAAJBAJg6oXhHvwgb4wWy/qjyemoJLuuD1tRe6ctjpn2RWulg7+2SePVi
  3. yroaOk6SX8cOKr4fnykmLc8QUinu4PFIWUkCAwEAAQJAKt1nlkztl8Tyeipa1wvg
  4. OHd5hMvM9GP9hU38FaOWa9x2w1mNZNo1uR8C/67wYUGKtUSycAeoJhkLRMGv3wx/
  5. 4QIhAMgjTYcChsz8K9m1c9QyRE3gYUsax+meZIFKKk32dVL1AiEAwrgJZQ4/spAr
  6. hmBwFf8iiQK1JiDtl8KsvYLWdfLbQIUCIAu4dYvYjAhpJDBFvhjJMNLWtxvs35RA
  7. 4GXp7/xM2KYZAiAorLz5qSJRMKCG73o6fhM+v5wLnPFEtFvVMpGODe8S6QIhAKyo
  8. H3hSojM1XkohRBCun6u9n9abjxs3uMz0J5ZsqzBD
  9. -----END RSA PRIVATE KEY-----

As stated above, .pem can hold various contents, for example PKCS, which is a set of standards for public key cryptography.

A .pem with the first line "BEGIN RSA PRIVATE KEY" is formatted in the "SSLeay format" and holds PKCS1, as opposed to "BEGIN PRIVATE KEY" indicating PKCS8 (see this SO).

PKCS1 is a format specifically for the RSA algorithm, hence the specific "RSA" in the first line. PKCS8 is a format for various algorithms.

The PKCS1 format can be converted to the PKCS8 format like this:

  1. openssl pkcs8 -topk8 -in private_key_in_pkcs1.pem -outform pem -nocrypt -out private_key_in_pkcs8.pem

This generates the following content with the same private key, but in PKCS8 format:

  1. -----BEGIN PRIVATE KEY-----
  3. w/SqAcPIonu5j36Fzuwo46aIOAEvTjUgdrtUqHsB612WF6Q8rnXLL4J30SZvB2df
  4. G1HPOQIDAQABAkEAuaUzJjxfEG/Iyl9L+DWp4wbwCNpj8jA9JHMGngY4kxw1bDpQ
  5. PdnbV8ZT0+MtibBSj9kAjwYQq8y3NZW9lwitYQIhAN3HtlN+SDb4FonUFLREzCQb
  6. N1vQxjtgDrHDE+MRCGk1AiEA3aGteihQwTsH+nxeu54fVjNy21G/hqId6Izr5MVE
  7. EnUCIQCWGWthuM8hPOjsIXhdxU4whacC4hq35rwrPS9Bd66snQIgOHLZcGecSdrz
  8. KUVMC5U2fgoUku+7TFs2KujZnCbyM5ECICcg8NbWAeghgF9baVGzdO5uanmklXRH
  9. E4OM/+HlUjkQ
  10. -----END PRIVATE KEY-----


The File Format

.pub files simply contain public keys of an asymmetric key pair. 

Extract Public Key and Save it in .pub File

When using an asymmetrical encryption, the public key can be extracted from the formerly created .pem file like this:

  1. openssl rsa -in private_key_in_pkcs8.pem -pubout >

This is the extracted key:

  1. -----BEGIN PUBLIC KEY-----
  3. hc7sKOOmiDgBL041IHa7VKh7AetdlhekPK51yy+Cd9EmbwdnXxtRzzkCAwEAAQ==
  4. -----END PUBLIC KEY-----


The File Format

A file ending with .csr is a Certificate Signing Request. After creating a private key as shown above, a signing request file can be generated to enable a certificate authority (CA) to sign the private key. To do that, the csr includes organizational data like the country, state and locality as well as the public key to be signed. The CA validates the request. After approving the request, the CA creates a new public certificate, signed by the private key of the CA, that signs the public key of the requestor.

Creating a certificate signing request

A certificate signing request (CSR) can be created from a pem file:

  1. openssl req -new -key private_key_in_pkcs1.pem -out request.csr


The File Format

A file ending with .crt is a certificate. From Stack Exchange: "A certificate contains a public key. The certificate, in addition to containing the public key, contains additional information such as issuer, what the certificate is supposed to be used for, and other types of metadata. Typically, a certificate is itself signed by a certificate authority (CA) using CA's private key. This verifies the authenticity of the certificate."

Creating a Certificate

A certificate is created from the certificate signing request:

  1. openssl x509 -req -days 365 -in request.csr -signkey private_key_in_pkcs8.pem -out server.crt

Further Reading

Here is a nice overview over the mentioned file formats as well as some  additonal ones.