X.509 is an encoding format that uses the ASN.1 distinguished encoding rules (DER), which is a binary format. When writing a certificate to a file, it can use this raw DER format, or it can use a plain-text format called PEM.
The PEM encoding consists of a line containing the text -----BEGIN
CERTIFICATE-----
, followed by a set of lines containing the base64-encoded
representation of the raw DER bytes (typically with no more than 64 characters per
line), followed by a line containing the text -----END
CERTIFICATE-----
.
The X.509 encoding contains a certificate’s public key, but not its private
key. The encoding for private keys is described in the PKCS #8 specification in RFC
5958. This also uses a DER encoding, with a PEM variant that uses
-----BEGIN PRIVATE KEY-----
and -----END PRIVATE
KEY-----
, rather than -----BEGIN CERTIFICATE-----
and
-----END CERTIFICATE-----
. RFC 5958 also describes an encrypted
representation of the private key although PingDirectory
tools do not currently support that format.
The certificate signing request (CSR) format is described in the PKCS #10
specification in RFC 2986. It uses a DER encoding with a PEM variant. The PEM
variant uses a header of -----BEGIN CERTIFICATE REQUEST-----
and a
footer of -----END CERTIFICATE REQUEST-----
although some
implementations use the alternate, nonstandard forms -----BEGIN NEW CERTIFICATE
REQUEST-----
and -----END NEW CERTIFICATE
REQUEST-----
.