What is a PEM file and how do I use it?

Shutterstock/FGC

PEM is a container file format often used to store cryptographic keys. It is used for many different things, as it simply defines the structure and encoding type of the file used to store a bit of data.

What is a PEM file?

PEM is only a standard; they contain text, and the format dictates that PEM files start with…

-----BEGIN -----

…and end with:

-----END -----

Everything in between is base64 encoded (upper and lower case letters, numbers, +and /). This forms a block of data that can be used in other programs. A single PEM file can contain multiple blocks.

It can be used to represent all kinds of data, but it’s commonly used to encode key files, such as RSA keys used for SSH and certificates used for SSL encryption. The PEM file will tell you what it’s for in the header; for example, you might see a PEM file beginning with…

-----BEGIN RSA PRIVATE KEY-----

… followed by a long string of data, which is the actual RSA private key.

PEM files with SSL certificates

PEM files are used to store SSL certificates and their associated private keys. Several certificates are in the full SSL chain and work in this order:

  • The end-user certificate, which is assigned to your domain name by a certificate authority (CA). This is the file you use in nginx and Apache to encrypt HTTPS.
  • Up to four optional intermediate certificates, issued to smaller CAs by higher CAs.
  • The root certificate, the highest certificate in the chain, which is self-signed by the primary CA.

In practice, each certificate is listed in a PEM file, using separate blocks:

-----BEGIN CERTIFICATE-----
  //end-user
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
  //intermediate
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
  //root
-----END CERTIFICATE-----

You will receive these files from your SSL provider for use on your web server. For example, LetsEncrypt’s certbot generates the following certificates, placed in /etc/letsencrypt/live/your-domain-name/ :

cert.pem chain.pem fullchain.pem privkey.pem
  • cert.pem is the end user certificate.
  • chain.pem is the remainder of the string; in this case, it is just the LetsEncrypt root certificate.
  • fullchain.pem is cert.pem and chain.pem combined. This is the file passed to nginx with the ssl_certificate directive.
  • privkey.pem is an RSA private key generated with the certificate.

They can also use the .crt extension; if you have self-signed a certificate with OpenSSLyou will get a CRT file rather than a PEM file, although the content is still the same and the usage is the same.

To use your certificates, you will need to pass them as parameters for your web server. For nginx you will want to specify the ssl_certificate (the full chain PEM file), and ssl_certificate_key (the RSA private key PEM file), after enabling SSL:

ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;

For Apache, the setup is largely the same, but you’ll need to use the SSLCertificateFile and SSLCertificateKeyFile guidelines:

SSLCertificateFile /etc/letsencrypt/live/yourdomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem

PEM files with SSH

PEM files are also used for SSH. If you’ve ever run ssh-keygen to use ssh without a password, your ~/.ssh/id_rsa is a PEM file, just without the extension.

Specifically, Amazon Web Services provides you with a PEM file containing a private key each time you create a new instance, and you must use this key to be able to SSH into new EC2 instances.

RELATED: How to Add Your EC2 PEM File to Your SSH Keychain

You will need to use the -i flag with ssh to specify that you want to use this new key instead of id_rsa:

ssh -i keyfile.pem [email protected]

This will connect you to the server normally, but you will need to specify this flag each time.

A simpler method is to add the private key to your ssh agent with ssh-add:

ssh-add keyfile.pem

However, this does not persist across reboots, so you will need to run this command on startup or add it to your macOS keychain.

Of course, you can always just add your primary public key to the ~/.ssh/authorized_keys after logging in once, but this method should work immediately for all future new instances.

It should be noted that you should always lock down your SSH server even if you are using keys yourself.

RELATED: What is SSH Agent Forwarding and how do you use it?