Representing certificates, private keys, and certificate signing requests
X.509 is an encoding format that uses the ASN.1 distinguished encoding rules (DER), which is a binary format. When writing a certificate to a file, it can use this raw DER format, or it can use a plain-text format called PEM.
The PEM encoding consists of a line containing the text -----BEGIN
CERTIFICATE-----
, followed by a set of lines containing the base64-encoded representation of the raw DER bytes (typically with no more than 64 characters per line), followed by a line containing the text -----END
CERTIFICATE-----
.
The X.509 encoding contains a certificate’s public key, but not its private key. The encoding for private keys is described in the PKCS #8 specification in RFC 5958. This also uses a DER encoding, with a PEM variant that uses -----BEGIN PRIVATE KEY-----
and -----END PRIVATE
KEY-----
, rather than -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
. RFC 5958 also describes an encrypted representation of the private key although PingDirectory tools do not currently support that format.
The certificate signing request (CSR) format is described in the PKCS #10 specification in RFC 2986. It uses a DER encoding with a PEM variant. The PEM variant uses a header of -----BEGIN CERTIFICATE REQUEST-----
and a footer of -----END CERTIFICATE REQUEST-----
although some implementations use the alternate, nonstandard forms -----BEGIN NEW CERTIFICATE
REQUEST-----
and -----END NEW CERTIFICATE
REQUEST-----
.