Encrypt Online

What Is Inside a PEM File?

Understand PEM boundary lines, Base64 content, and the block types that tell you whether you are looking at a certificate, a key, or a CSR.

Encrypt Online Editorial Team3 min readCertificates & Site Ops
What Is Inside a PEM File? guide cover

Tip

Inspect the current certificate, key, token, or endpoint output before changing deployment config; stale artifacts make fixes misleading.

A PEM file is not automatically "a certificate file." It is a text envelope. The important clue is the label in the boundary lines, because that label tells you whether you are looking at a certificate, a CSR, a public key, or a private key that should never leave your control.

That is why the first troubleshooting move is simple: read line 1 before you trust the filename.

The first line tells you what you are holding

PEM blocks are ASCII text that look like this:

Text
-----BEGIN CERTIFICATE-----
MIIDdzCCAl+gAwIBAgIUQ0examplebase64cutforbrevity...
-----END CERTIFICATE-----

The middle is Base64. It is not the certificate fields in plain English. It is a textual wrapper around binary DER data.

Common labels:

Text
-----BEGIN CERTIFICATE-----
-----BEGIN CERTIFICATE REQUEST-----
-----BEGIN PRIVATE KEY-----
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----BEGIN PUBLIC KEY-----
-----BEGIN RSA PRIVATE KEY-----

That label matters more than .pem, .crt, .cer, or .key.

Safe to inspect versus stop immediately

Rough rule:

  • CERTIFICATE is usually safe to inspect and often safe to share for debugging.
  • CERTIFICATE REQUEST is usually okay to inspect, but it still reveals what will be requested.
  • PUBLIC KEY is usually safe to inspect.
  • PRIVATE KEY, RSA PRIVATE KEY, and ENCRYPTED PRIVATE KEY are sensitive material. Do not paste them into tickets, chat, or random tools unless you are certain of the workflow.

An encrypted private key is still a private key. The passphrase changes the storage risk, not the classification.

One PEM file can hold several blocks

A chain file often contains multiple certificates back to back:

Text
-----BEGIN CERTIFICATE-----
leaf certificate...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediate certificate...
-----END CERTIFICATE-----

That is normal. It is also why "open the file and skim every boundary line" is such a useful habit. A mixed bundle may include more than you expected.

PEM versus DER in plain terms

PEM and DER are usually the same underlying object in different packaging:

  • DER is binary
  • PEM is the Base64-wrapped text form with BEGIN and END lines

So when one system asks for PEM and another asks for DER, the data object is often the same certificate or key, just represented differently.

A fast inspection routine

  1. Read the BEGIN ... label.
  2. Check whether the file contains one block or many.
  3. If it is a certificate, inspect issuer, subject, SANs, and validity dates.
  4. If it is a private key, stop and handle it like secret material.

In this workflow, X.509 Certificate Parser is the right next step for certificate PEMs, while PEM/DER Converter helps when the next system wants a different encoding.

Developer workflow

Use this guide as an operations checklist before changing certificates, tokens, DNS, or deployment settings.

  1. Inspect the current artifact or endpoint output before making changes.
  2. Change one variable at a time so a failed verification has a narrow cause.
  3. Keep the rollback value, expiry, and verification command in the same runbook entry.
Text
1. current deployed artifact
2. single config or key change
3. verify endpoint/client behavior
4. record rollback and expiry details

References

Report a correction