I'm new to security and I'm trying to decode some SSL encrypted communication between my machine and server. I managed to obtain private and public keys as far as I understand private key is this one:


[private key content]


However, Wireshark requires key to be in .pem format to decode communication, can I somehow convert my keys to this format? If no, then how application which uses those packages decodes them?

  • 2,703
  • 8
  • 21
  • 35
  • 81
  • 1
  • 1
  • 4
  • 4
    Welcome to the community. Have you tried to google it? here's one of the answers from googling `ppk to pem`. http://www.linuxhelp.in/2012/04/creating-pem-key-from-ppk-key.html – Saehun Sean Oh Sep 21 '15 at 21:23

2 Answers2


The ".PEM format" does not really exist as a standard. This is more "whatever OpenSSL does".

PEM comes from an old failed standard for Privacy Enhanced Mail (that's what the acronym means). These days, "PEM" really means: some text that looks like:

-----BEGIN XXX-----
[some Base64 stuff here]
-----END XXX-----

I.e. a header line that starts with ----- and contains the designation of the type of data (e.g. "RSA PRIVATE KEY"); a similar trailer line; and between these two lines, a binary object encoded in Base64.

For RSA private keys, you will encounter mostly two types of PEM-encoded formats. When the header contains "BEGIN RSA PRIVATE KEY" then this is a RSA private key in the format described by PKCS#1. When the header says "BEGIN PRIVATE KEY" (without the "RSA") then it uses PKCS#8, a wrapper format that includes the designation of the key type ("RSA") and the private key itself.

In your case, if you see something that looks like PEM and begins with -----BEGIN RSA PRIVATE KEY----- then it is PEM; just put that in a text file, save it under some name (say "serverkey.pem") and configure Wireshark to use that file as server key. This is described in the Wireshark documentation.

Mind some details, though:

  • Wireshark will probably not be able to read the file if it is encoded in UTF-16 (what Windows somewhat improperly calls "Unicode"). In UTF-16, each character is encoded over two bytes (or four bytes for some characters like Pahawh Hmong). If you are using Windows' notepad, upon saving the file, choose the "ANSI" or "UTF-8" encoding.

  • Knowing the server's private key is not enough to decrypt the data if the client and server use a "DHE" or "ECDHE" cipher suite. If the client and server agree to use such a cipher suite and you still want to intercept the data, then you must make an active attack (a Man-in-the-Middle) in which you impersonate the server when talking to the client, and the client when talking to the server. This is a lot more work and Wireshark won't help you much there.

Tom Leek
  • 168,808
  • 28
  • 337
  • 475
  • Thank you for the insight how it all works. I looked around and found out that communication indeed uses DHE. However I've learned much, so it's no biggie! :) – blaz11 Sep 22 '15 at 16:29
  • 1
    Note Wireshark can't read encrypted PEM keys (PKCS1 `-----BEGIN RSA PRIVATE KEY` with `Proc-type` and `DEK-info` headers or PKCS8 `-----BEGIN ENCRYPTED PRIVATE KEY`); you can decrypt with `openssl rsa`, `openssl pkcs8 -topk8 -nocrypt`, or `openssl pkey` *without* `-$cipher`. If you have PKCS12 (not PEM, no header line, always encrypted) openssl *can* convert that, but Wireshark can use it directly given the password. If it still doesn't decrypt, turning on and looking at log can help; that's (now) in the GUI Edit/Preferences/Protocols/SSL and you needn't fiddle config files. – dave_thompson_085 Sep 22 '15 at 18:13

Just create a file with a ".pem" extension and try using it.

According to this page, the the private key is stored in a PEM file like you described:


[code in whatever format it may be]

  • 713
  • 5
  • 15