Reputation: 5147
How can I check if the certificate file I have is in .pem format?
I have a root cert file and I don't know whether or not it is in .pem format. How do I check if it is in .pem format?
Upvotes: 79
Views: 178958
Answers (7)
Reputation: 11209
A quick way to determine the type of a file on Linux is to use the file command. Example against a file containing PEM encoded private key:
file mypemfile
Output:
mypemfile: PEM RSA private key
Example against an OpenSSH file containing a private key:
file id_rsa
Output:
id_rsa: OpenSSH private key
Example against an OpenSSH file containing a public key:
file id_rsa.pub
Output:
id_rsa.pub: OpenSSH RSA public key
And finally an example not related to SSL to show how versatile the file command is:
file myimage.png
Output:
myimage.png: PNG image data, 671 x 169, 8-bit/color RGB, non-interlaced
It should be noted that the file command does not depend on the file extension. It checks out the file magic number or probably parses the content of the file to determine the nature of the content.
Upvotes: 6
Reputation: 4354
Based on the way you formatted the question, I believe there is some confusion on what a .pem file is. The .pem part of a file is just the file extension, and I believe that what you actually want to know is how to tell if a file is PEM-encoded. A PEM-encoded file can show up in many file formats, such as .pem, .key, .cer, .cert, as well as others.
A simple way to check if a certificate is PEM-encoded is to use OpenSSL:
openssl x509 -noout -in input_file.pem
echo $?
> 0
As an example, the above command will fail for certificates that are in DER format instead of PEM and output an error:
139836630553024:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE
Upvotes: 4
Reputation: 7422
Reference CRL,CRT,CSR,NEW CSR,PRIVATE KEY, PUBLIC KEY Parser
CRL
-----BEGIN X509 CRL-----
-----END X509 CRL-----
CRT
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
CSR
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
NEW CSR
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
PEM
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
PKCS7
-----BEGIN PKCS7-----
-----END PKCS7-----
PRIVATE KEY
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
Upvotes: 51
Reputation: 657
For OpenSSL to recognize it as a PEM format, it must be encoded in Base64, with the following header :
-----BEGIN CERTIFICATE-----
and footer :
-----END CERTIFICATE-----
Also, each line must be maximum 79 characters long. Otherwise you will receive the error :
2675996:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:
Note : the PEM standard (RFC1421) mandates lines with 64 characters long. A PEM certificate stored as a single line can be converted with the UNIX command-line utility
fold -w 64
Upvotes: 8
Reputation: 102406
How can I check if the certificate file I have is in .pem format
cat the file and look for the pre-encapsulated header and post-encapsulated header. The pre-encapsulated header is -----BEGIN CERTIFICATE----- or -----BEGIN X509 CERTIFICATE-----; and the post-encapsulated header is -----END CERTIFICATE----- or -----END X509 CERTIFICATE-----.
Encapsulated headers are discussed in RFC 1421. There is no standard list or comprehensive list of the objects in those headers (like CERTIFICATE or X509 CERTIFICATE). Most folks use OpenSSL's pem.h header for a list of object types.
Upvotes: 0
Reputation: 94834
A .pem format certificate will most likely be ASCII-readable. It will have a line -----BEGIN CERTIFICATE-----, followed by base64-encoded data, followed by a line -----END CERTIFICATE-----. There may be other lines before or after.
Upvotes: 62
Reputation: 985
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
Quote from the support page:
View
====
Even though PEM encoded certificates are ASCII they are not human
readable. Here are some commands that will let you output the
contents of a certificate in human readable form;
View PEM encoded certificate
----------------------------
Use the command that has the extension of your certificate replacing
cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate
below”
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate
View DER encoded Certificate
----------------------------
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
Upvotes: 87
Related Questions
- Where is the PEM file format specified?
- How to view the contents of a .pem certificate?
- How to get .pem file from .key and .crt files?
- How can I load a .pem certificate in c# from file?
- How can I know if a .pem file contains public or private key?
- .pem file has two certificates, what does it mean
- C# verify server certificate with .pem file
- How do I use OpenSSL in the terminal to convert a .pem file to other formats?
- .pem certificate into readable format
- How to verify PEM format certificate in Java