Securityflags: g

PEM Certificate Block

Match PEM-encoded certificate and key blocks, capturing the block type and base64 content.

Try it in RegexPro →

Available in

JSSupported

JavaScript / ECMAScript

Browser-native RegExp. Default if you don't pick.

PYSupported

Python (re)

CPython stdlib `re`. Unicode-aware `\w` and `\d` by default.

GOSee workaround

Go (RE2)

Linear-time matching. No backreferences or lookarounds.

Pattern

regexengine-agnostic

-----BEGIN ([A-Z ]+)-----([\s\S]+?)-----END \1-----   (flags: g)

Raw source: -----BEGIN ([A-Z ]+)-----([\s\S]+?)-----END \1-----

How it works

-----BEGIN ([A-Z ]+)----- captures the block type label (e.g. CERTIFICATE, RSA PRIVATE KEY). ([\s\S]+?) lazily captures the multiline base64 body. \1 back-references the type to ensure BEGIN and END labels match. The dotAll behaviour requires [\s\S] in JS (or /s flag in newer JS) and re.DOTALL in Python.

Examples

Input

-----BEGIN CERTIFICATE-----\nMIIBkTCB+...\n-----END CERTIFICATE-----

Matches

-----BEGIN CERTIFICATE-----\nMIIBkTCB+...\n-----END CERTIFICATE-----

Input

-----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----

Matches

-----BEGIN RSA PRIVATE KEY-----\nMIIEow...\n-----END RSA PRIVATE KEY-----

Common use cases

•TLS certificate extraction from config files
•Secret scanning for accidentally committed private keys
•Certificate chain parsing in mTLS tooling
•Automated cert rotation pipelines

←PreviousBearer Token (Authorization Header)

All patterns

NextSemantic Commit Message→