Securityflags: g

PEM Certificate Block

Match PEM-encoded certificate and key blocks, capturing the block type and base64 content.

Try it in RegexPro →

Available in

JavaScript / ECMAScript

Browser-native RegExp. Default if you don't pick.

Python (re)

CPython stdlib `re`. Unicode-aware `\w` and `\d` by default.

GOSee workaround

Go (RE2)

Linear-time matching. No backreferences or lookarounds.

Pattern

regexengine-agnostic

-----BEGIN ([A-Z ]+)-----([\s\S]+?)-----END \1-----   (flags: g)

Raw source: -----BEGIN ([A-Z ]+)-----([\s\S]+?)-----END \1-----

How it works

-----BEGIN ([A-Z ]+)----- captures the block type label (e.g. CERTIFICATE, RSA PRIVATE KEY). ([\s\S]+?) lazily captures the multiline base64 body. \1 back-references the type to ensure BEGIN and END labels match. The dotAll behaviour requires [\s\S] in JS (or /s flag in newer JS) and re.DOTALL in Python.

Examples

Input

-----BEGIN CERTIFICATE-----\nMIIBkTCB+...\n-----END CERTIFICATE-----

Matches

-----BEGIN CERTIFICATE-----\nMIIBkTCB+...\n-----END CERTIFICATE-----

Input

-----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----

Matches

-----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----

Common use cases

•TLS certificate extraction from config files
•Secret scanning for accidentally committed private keys
•Certificate chain parsing in mTLS tooling
•Automated cert rotation pipelines

Related patterns

PEM Private Key Block

Match PEM-encoded private key blocks across the common variants (RSA, EC, DSA, OpenSSH, encrypted, PGP).

AWS Access Key ID

Match AWS access key IDs (both long-term AKIA and temporary ASIA prefixes).

Bearer Token (Authorization Header)

Match Bearer token values from HTTP Authorization headers, capturing the raw token string.

JWT Token

Match JSON Web Tokens (JWTs) — three base64url-encoded segments separated by dots.

←PreviousBearer Token (Authorization Header)

NextSemantic Commit Message→