About representing certificates, private keys, and certificate signing requests
X.509 is an encoding format that uses the ASN.1 distinguished encoding rules (DER), which exist in binary format. When writing a certificate to a file, either a raw DER format or a plaintext format called PEM can be used.
PEM encoding consists of a line that contains the text
-----BEGIN CERTIFICATE-----
, followed by a set of lines that contains
the base64-encoded representation of the raw DER bytes (typically with no more than
64 characters per line), followed by a line that contains the text
-----END CERTIFICATE-----
.
The X.509 encoding contains a certificate’s public key, but not its private key. The PKCS #8 specification in RFC 5958 describes the encoding for private keys. This approach uses a DER encoding with a PEM variant that instead uses the following header and footer, respectively.
-----BEGIN PRIVATE KEY----- -----END PRIVATE KEY-----
RFC 5958 also describes an encrypted representation of the private key, but that format is currently unsupported.
The PKCS #10 specification in RFC 2986 describes the CSR format. This format uses a DER encoding with a PEM variant that uses the following header and footer, respectively.
-----BEGIN CERTIFICATE REQUEST----- -----END CERTIFICATE REQUEST-----
Some implementations use the following alternate, nonstandard forms.
-----BEGIN NEW CERTIFICATE REQUEST----- -----END NEW CERTIFICATE REQUEST-----