PEM is a container file format often used for storing cryptographic keys. It is used for many different things, since it simply sets the structure and encoding type of the file that is used to save some data.
What is a PEM file?
PEM is just a standard; contain text and the format dictates that PEM files begin with …
-----BEGIN <type>-----
... And end with:
-----END <type>-----
Everything in between is base64 encoded (uppercase and lowercase letters, digits, +, and /). This forms a block of data that can be used in other programs. A single PEM file can contain multiple blocks.
This can be used to represent all kinds of data, but it is commonly used to encode key files, such as RSA keys used for SSH and certificates used for SSL encryption. The PEM file will tell you what it is used for in the header; as an example, you might see a PEM file that starts with ...
-----BEGIN RSA PRIVATE KEY-----
... Followed by a long string of data, what is the real RSA private key.
PEM files with SSL certificates
PEM files are used to store SSL certificates and their associated private keys. There are multiple certificates in the full SSL chain and they work in this order:
- The end user certificate, than a certification authority (THAT) assigns to your domain name. This is the file that nginx and Apache use to encrypt HTTPS.
- Up to four optional intermediate certificates, otorgados a autoridades de certificación más pequeñas por autoridades superiores.
- El certificado raíz, el certificado más alto de la cadena, que está autofirmado por la CA principal.
In practice, cada certificado se enumera en un archivo PEM, usando bloques separados:
-----BEGIN CERTIFICATE----- //end-user -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- //intermediate -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- //root -----END CERTIFICATE-----
Recibirá estos archivos de su proveedor de SSL para que los utilice en su servidor web. As an example, LetsEncrypt’s certbot genera los siguientes certificados, placed in /etc/letsencrypt/live/your-domain-name/ :
cert.pem chain.pem fullchain.pem privkey.pem
cert.pemis the end user certificate.chain.pemis the rest of the chain; for this case, it's just the root certificate of LetsEncrypt.fullchain.pemit iscert.pemandchain.pemset. This is the file passed to nginx with thessl_certificatedirective.privkey.pemis an RSA private key generated together with the certificate.
They can also use the .crt extension; If you have self-signed a certificate with OpenSSL, you will get a CRT file instead of PEM, even though the content will remain the same and the use will be the same.
To use your certificates, deberá pasarlos como parámetros para su servidor web. Para nginx, querrá especificar el ssl_certificate (el archivo PEM de cadena completa), and ssl_certificate_key (el archivo PEM de clave privada RSA), después de activar SSL:
ssl_certificate /etc/letsencrypt/live/yourdomain/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/yourdomain/privkey.pem;
For Apache, la configuración es simplemente la misma, pero necesitará utilizar el SSLCertificateFile and SSLCertificateKeyFile directives:
SSLCertificateFile /etc/letsencrypt/live/yourdomain/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/yourdomain/privkey.pem
PEM files with SSH
PEM files are also used for SSH. If at any time you have run ssh-keygen to use ssh without password, your ~/.ssh/id_rsa it is a PEM file, only without the extension.
In particular, Amazon Web Services gives you a PEM file that contains a private key each time you create a new instance, and you must use this key to be able to SSH into new EC2 instances.
RELATED: How to add your EC2 PEM file to your SSH keychain
You must use the -i flag with ssh to specify that you want to use this new key instead of id_rsa:
ssh -i keyfile.pem root@host
This will allow you to log into the server as normal, but you will have to specify this flag every time.
An easier method is to add the private key to your ssh-agent with ssh-add:
ssh-add keyfile.pem
Despite this, this does not persist on reboots, so you will need to run this command at startup or add it to your macOS keychain.
In any case, furthermore you can simply add your primary public key to the instance ~/.ssh/authorized_keys after you have logged in once, but this method should work immediately for any new instances in the future.
It is important to note that you should still block your SSH server even if you are using keys yourself.
RELATED: What is SSH agent forwarding and how is it used?
