The PEM encoding consists of a line containing the text -----BEGIN CERTIFICATE-----, followed by a set of lines containing the base64-encoded representation of the raw DER bytes (typically with no more than 64 characters per line), followed by a line containing the text -----END CERTIFICATE-----.

The X.509 encoding contains a certificate’s public key, but not its private key. The encoding for private keys is described in the PKCS #8 specification in RFC 5958. This also uses a DER encoding, with a PEM variant that uses -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY-----, rather than -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. RFC 5958 also describes an encrypted representation of the private key although PingDirectory tools do not currently support that format.

The certificate signing request (CSR) format is described in the PKCS #10 specification in RFC 2986. It uses a DER encoding with a PEM variant. The PEM variant uses a header of -----BEGIN CERTIFICATE REQUEST----- and a footer of -----END CERTIFICATE REQUEST----- although some implementations use the alternate, nonstandard forms -----BEGIN NEW CERTIFICATE REQUEST----- and -----END NEW CERTIFICATE REQUEST-----.