PEM encoding consists of a line that contains the text -----BEGIN CERTIFICATE-----, followed by a set of lines that contains the base64-encoded representation of the raw DER bytes (typically with no more than 64 characters per line), followed by a line that contains the text -----END CERTIFICATE-----.

The X.509 encoding contains a certificate's public key, but not its private key. The PKCS #8 specification in RFC 5958 describes the encoding for private keys. This approach uses a DER encoding with a PEM variant that instead uses the following header and footer, respectively.

 -----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY----- 

RFC 5958 also describes an encrypted representation of the private key, but that format is currently unsupported.

The PKCS #10 specification in RFC 2986 describes the CSR format. This format uses a DER encoding with a PEM variant that uses the following header and footer, respectively.

-----BEGIN CERTIFICATE REQUEST----- 
-----END CERTIFICATE REQUEST-----

Some implementations use the following alternate, nonstandard forms.

-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----