Alright, let's break this down step by step—no need to stress about OpenSSL here, I'll walk you through exactly what to do based on the format of your plaintext private key.

First: Check if Your "Plaintext" Key is Already PEM Format #

Wait a second—sometimes people call a key "plaintext" when it's actually already in PEM format but just saved with a wrong file extension. PEM keys look like this:

-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAz... (long base64 string)
-----END RSA PRIVATE KEY-----

If your key has those -----BEGIN/END...----- markers, you can just rename the file extension to .pem and you're done! No extra steps needed.

Case 1: Your Key is a Raw Base64 String (No PEM Headers) #

If your key is just a continuous block of base64 characters (no BEGIN/END lines), here's how to wrap it into a valid PEM file:

1. Save the raw base64 string into a temporary text file, e.g., raw_key.txt (make sure there are no extra spaces or newlines).
2. Run the appropriate OpenSSL command based on your key type:
   • For RSA keys:

     openssl rsa -in raw_key.txt -out private_key.pem -inform PEM
     

   • For Elliptic Curve (EC) keys:

     openssl ec -in raw_key.txt -out private_key.pem -inform PEM
     

This command will automatically add the correct PEM headers and footers to your key.

Case 2: Your Key is in Hexadecimal Format #

If your key is a string of hex characters (0-9, a-f/A-F), we need to convert it to binary first, then to PEM:

1. Save the hex string into hex_key.txt (no spaces or extra lines).
2. Convert hex to binary using xxd (most systems have this pre-installed):

   xxd -r -p hex_key.txt > private_key.bin
   

3. Convert the binary key to PEM:
   • For RSA keys:

     openssl rsa -in private_key.bin -out private_key.pem -inform DER
     

   • For EC keys:

     openssl ec -in private_key.bin -out private_key.pem -inform DER
     

What About .CER Files? #

Quick note: A .cer file is typically a public key certificate, not a private key. If you need a certificate (e.g., self-signed for testing) that pairs with your private key, you can generate one using your new PEM private key:

openssl req -new -x509 -key private_key.pem -out certificate.cer -days 365

This will prompt you to enter some certificate details (country, organization, etc.)—fill those out, and you'll get a 1-year valid self-signed .cer file.

Verify Your Key Works #

To make sure everything went right, validate your PEM private key with OpenSSL:

• For RSA:

  openssl rsa -in private_key.pem -check
  

• For EC:

  openssl ec -in private_key.pem -check
  

If you see "RSA key ok" or "EC key ok" in the output, your key is valid and ready to use!

内容的提问来源于stack exchange，提问作者M K Sharma