Keywords: SSL Certificate | PEM Format | OpenSSL | Private Key Management | File Conversion
Abstract: This article provides a comprehensive guide on generating .pem files from .key and .crt files, covering fundamental concepts of PEM format, file format identification methods, OpenSSL tool usage techniques, and specific operational steps for various scenarios. Through in-depth analysis of SSL certificate and private key format conversion principles, it offers complete solutions ranging from basic file inspection to advanced configurations, assisting developers in properly managing SSL/TLS certificate files for web server deployment, cloud service configuration, and other application scenarios.
Fundamental Concepts of PEM Format
PEM (Privacy Enhanced Mail) format is a Base64-encoded text format widely used for storing SSL/TLS certificates, private keys, and other cryptographic materials. Unlike binary formats such as DER, PEM files are stored as readable ASCII text, typically identified by specific beginning and ending markers that indicate the content type.
File Format Identification and Verification
Before initiating conversion, it's essential to verify the format of existing files. Open the .key or .crt file - if the content begins with "-----BEGIN" (such as "-----BEGIN CERTIFICATE-----" or "-----BEGIN PRIVATE KEY-----"), the file is already in PEM format. In this case, simply changing the file extension to .pem makes it ready for use.
If the file content appears as binary format and cannot be properly read with a text editor, format conversion using OpenSSL tools becomes necessary. The format type can be determined using the file command or by directly examining the file content.
OpenSSL Format Conversion Operations
For certificate files (.crt) in binary format, use the following command to convert to PEM format:
openssl x509 -inform DER -outform PEM -in server.crt -out server.crt.pemFor private key files (.key), the corresponding conversion command is:
openssl rsa -inform DER -outform PEM -in server.key -out server.key.pemIn these commands, the -inform parameter specifies the input format, -outform specifies the output format, while -in and -out parameters define the input and output file paths respectively.
File Merging and Configuration Application
In certain application scenarios, such as web server configuration, it becomes necessary to combine certificates and private keys into a single file. This can be easily accomplished using the cat command:
cat server.crt server.key > server.includesprivatekey.pemIt's recommended to include "includesprivatekey" in the filename as an identifier, serving as a reminder that the file contains sensitive private key information requiring strict access control. The merged file should have appropriate file permissions set, typically 600 (read-write for owner only).
Practical Application Scenarios Analysis
When configuring AWS Elastic Load Balancer, certificate and private key files need to be uploaded separately. Prepare files using the following commands:
openssl rsa -in server.key -text > private.pem
openssl x509 -inform PEM -in server.crt > public.pemThen upload the certificate using AWS CLI:
aws iam upload-server-certificate --server-certificate-name certificate-name --certificate-body file://path/to/server.crt --private-key file://path/to/private.keyFile Verification and Debugging
After generating .pem files, verify the file contents using OpenSSL:
openssl x509 -in server.pem -text -nooutThis command displays detailed certificate information including issuer, validity period, subject, etc., helping confirm whether the file conversion completed correctly. For private key files, use openssl rsa -in private.pem -check command to verify private key validity.
Security Best Practices
Secure management of private key files is crucial. After generating .pem files containing private keys, immediately set strict file permissions:
chmod 600 server.includesprivatekey.pemAvoid storing private key files in insecure environments, regularly rotate certificates and keys, and ensure backup strategy integrity. In production environments, consider using Hardware Security Modules (HSM) or key management services to protect private keys.
Common Issues and Solutions
In specific application configurations like Pi-hole, combining multiple certificate files might be necessary. Reference actual configuration requirements to correctly identify the purpose of each PEM file: privkey.pem corresponds to private key files, cert.pem corresponds to domain certificates, while combined.pem may contain certificate chain information.
When configuring web servers, ensure ssl.pemfile points to the correct merged file path and ssl.ca-file points to the certificate chain file. After restarting services, use openssl s_client -connect domain:443 command to test whether SSL connection establishes properly.