X.509 is an encoding format that uses the ASN.1 distinguished encoding rules (DER), which
exist in binary format. When writing a certificate to a file, either a raw DER format or
a plaintext format called PEM can be used. PEM encoding consists of a line that
contains the text -----BEGIN CERTIFICATE-----
, followed by a set of lines
that contains the base64-encoded representation of the raw DER bytes (typically with no
more than 64 characters per line), followed by a line that contains the text
-----END CERTIFICATE-----
.
The X.509 encoding contains a certificate's public key, but not its private key. The PKCS #8
specification in RFC 5958 describes the encoding for private keys. This approach
also uses a DER encoding with a PEM variant that uses -----BEGIN PRIVATE KEY-----
and -----END PRIVATE KEY-----
rather than -----BEGIN CERTIFICATE-----
and -----END CERTIFICATE-----
. RFC 5958 also describes an encrypted
representation of the private key, but that format is currently unsupported.
The PKCS #10 specification in RFC 2986 describes the certificate signing request (CSR) format.
This format also uses a DER encoding with a PEM variant that uses a header of
-----BEGIN CERTIFICATE REQUEST-----
and a footer of -----END
CERTIFICATE REQUEST-----
.
-----BEGIN NEW CERTIFICATE
REQUEST-----
and -----END NEW CERTIFICATE REQUEST-----
.