Your keys may already be in PEM format, but just named with .crt or .key.
If the file's content begins with -----BEGIN
and you can read it in a text editor:
The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.
If the file is in binary:
For the server.crt, you would use
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa
in place of openssl x509
.
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.
openssl genrsa -out mykey.pem 1024
will actually produce a public - private key pair. The pair is stored in the generated mykey.pem
file.
openssl rsa -in mykey.pem -pubout > mykey.pub
will extract the public key and print that out. Here is a link to a page that describes this better.
EDIT: Check the examples section here. To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem
To get a usable public key for SSH purposes, use ssh-keygen:
ssh-keygen -y -f key.pem > key.pub
Best Answer
See https://polarssl.org/kb/cryptography/asn1-key-structures-in-der-and-pem (search the page for "BEGIN RSA PRIVATE KEY") (archive link for posterity, just in case).
BEGIN RSA PRIVATE KEY
is PKCS#1 and is just an RSA key. It is essentially just the key object from PKCS#8, but without the version or algorithm identifier in front.BEGIN PRIVATE KEY
is PKCS#8 and indicates that the key type is included in the key data itself. From the link:As opposed to
BEGIN RSA PRIVATE KEY
, which always specifies an RSA key and therefore doesn't include a key type OID.BEGIN RSA PRIVATE KEY
isPKCS#1
: