How can I check if the certificate file I have is in .pem format?
DER vs. CRT vs. CER vs. PEM Certificates and How To Convert Them
Quote from the support page:
View
====
Even though PEM encoded certificates are ASCII they are not human
readable. Here are some commands that will let you output the
contents of a certificate in human readable form;
View PEM encoded certificate
----------------------------
Use the command that has the extension of your certificate replacing
cert.xxx with the name of your certificate
openssl x509 -in cert.pem -text -noout
openssl x509 -in cert.cer -text -noout
openssl x509 -in cert.crt -text -noout
If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate
below”
unable to load certificate
12626:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:647:Expecting: TRUSTED CERTIFICATE View DER encoded Certificate
View DER encoded Certificate
----------------------------
openssl x509 -in certificate.der -inform der -text -noout
If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above
unable to load certificate
13978:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1306:
13978:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:380:Type=X509
A .pem format certificate will most likely be ASCII-readable. It will have a line -----BEGIN CERTIFICATE-----, followed by base64-encoded data, followed by a line -----END CERTIFICATE-----. There may be other lines before or after.
Reference CRL,CRT,CSR,NEW CSR,PRIVATE KEY, PUBLIC KEY Parser
CRL
-----BEGIN X509 CRL-----
-----END X509 CRL-----
CRT
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
CSR
-----BEGIN CERTIFICATE REQUEST-----
-----END CERTIFICATE REQUEST-----
NEW CSR
-----BEGIN NEW CERTIFICATE REQUEST-----
-----END NEW CERTIFICATE REQUEST-----
PEM
-----BEGIN RSA PRIVATE KEY-----
-----END RSA PRIVATE KEY-----
PKCS7
-----BEGIN PKCS7-----
-----END PKCS7-----
PRIVATE KEY
-----BEGIN PRIVATE KEY-----
-----END PRIVATE KEY-----
For OpenSSL to recognize it as a PEM format, it must be encoded in Base64, with the following header :
-----BEGIN CERTIFICATE-----
and footer :
-----END CERTIFICATE-----
Also, each line must be maximum 79 characters long. Otherwise you will receive the error :
2675996:error:0906D064:PEM routines:PEM_read_bio:bad base64 decode:pem_lib.c:818:
Note : the PEM standard (RFC1421) mandates lines with 64 characters long. A PEM certificate stored as a single line can be converted with the UNIX command-line utility
fold -w 64
Based on the way you formatted the question, I believe there is some confusion on what a .pem file is. The .pem part of a file is just the file extension, and I believe that what you actually want to know is how to tell if a file is PEM-encoded. A PEM-encoded file can show up in many file formats, such as .pem, .key, .cer, .cert, as well as others.
A simple way to check if a certificate is PEM-encoded is to use OpenSSL:
openssl x509 -noout -in input_file.pem
echo $?
> 0
As an example, the above command will fail for certificates that are in DER format instead of PEM and output an error:
139836630553024:error:0909006C:PEM routines:get_name:no start line:../crypto/pem/pem_lib.c:745:Expecting: TRUSTED CERTIFICATE