Xiaopei's DokuWiki

These are the good times in your life,
so put on a smile and it'll be alright

User Tools

Site Tools




What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?

  • .csr - This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot. These get signed by the CA and a certificate is returned. The returned certificate is the public certificate, which itself can be in a couple of formats.
  • .pem - This is the public-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/servercerts. This is also the format used for Certificate Authority certificates (/etc/ssl/certs)
  • .key - This is the private-key of a specific certificate. In apache installs, this frequently resides in /etc/ssl/private. The rights on this directory and the certificates is very important, and some programs will refuse to load these certificates if they are set wrong.
  • .pkcs12 .pfx .p12 - A passworded container format that contains both public and private certificate pairs. Every time I get one I have to google to remember the openssl-fu required to break it into .key and .pem files.
  • .der - Fills the same function as a .pem file, but a different format. OpenSSL can convert these to .pem. I've only ever run into them in the wild with Novell's eDirectory certificate authority.
  • .cert .cer - A .pem file with a different extension. This extension is recognized by Windows Explorer as a certificate, which .pem is not.
  • .crl - A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

php openssl




发信时, 使用收件人的公钥加密, 以确保只有收件人能解密出信件内容


发信时, 发件人使用自己的私钥加密, 收件人需用发件人的公钥解密, 以证实发件人的身份



#创建一个名为mykey.pem的private key文件
$ openssl genrsa -out mykey.pem 1024

#通过mykey.pem这个内容为private key的文件,计算出public key后,进行保存到mykey.pub这个文件中
$ openssl rsa -in mykey.pem -pubout > mykey.pub

# 使用 RSA 加解密
$ openssl genrsa -out key.pem
$ openssl rsa -in key.pem -out key.pub -pubout

# 通过私钥生成 ssh 公钥
$ ssh-keygen -y -f mykey.pem > mykey.pub

it/secure/openssl.txt · Last modified: 2019/03/16 14:28 by admin