Your keys may already be in PEM format, but just named with .crt or .key.
If the file's content begins with -----BEGIN
and you can read it in a text editor:
The file uses base64, which is readable in ASCII, not binary format. The certificate is already in PEM format. Just change the extension to .pem.
If the file is in binary:
For the server.crt, you would use
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pem
For server.key, use openssl rsa
in place of openssl x509
.
The server.key is likely your private key, and the .crt file is the returned, signed, x509 certificate.
If this is for a Web server and you cannot specify loading a separate private and public key:
You may need to concatenate the two files. For this use:
cat server.crt server.key > server.includesprivatekey.pem
I would recommend naming files with "includesprivatekey" to help you manage the permissions you keep with this file.
openssl genrsa -out mykey.pem 1024
will actually produce a public - private key pair. The pair is stored in the generated mykey.pem
file.
openssl rsa -in mykey.pem -pubout > mykey.pub
will extract the public key and print that out. Here is a link to a page that describes this better.
EDIT: Check the examples section here. To just output the public part of a private key:
openssl rsa -in key.pem -pubout -out pubkey.pem
To get a usable public key for SSH purposes, use ssh-keygen:
ssh-keygen -y -f key.pem > key.pub
Best Answer
Unfortunately - the certificate does not contain the private key (it does, however contain the public key). You'll need the private key source (a .p12 usually), to extract the private key.
Hope this helps.