Extract specific certificates from PEM bundles.
pem-select is a small Rust command-line tool for extracting specific
X.509 certificate PEM blocks from a file or from standard input.
It is useful when you have a bundle or a noisy text file that contains multiple certificates mixed with other content.
The tool operates purely on PEM block boundaries.
It does not validate the certificate contents — it simply
detects and extracts text between
-----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.
The parsing feature enables limited certificate parsing for
enhanced --list output.
Typical uses include:
- list the certificate positions found in the input
- print only selected certificates
- overwrite the original file with a filtered subset
List certificates in a bundle:
pem-select certs.pem --listExample output:
0: { subject:"CN=example.com", issuer:"CN=Example Intermediate CA", .. }
1: { subject:"CN=Example Intermediate CA", issuer:"CN=Example Root CA", .. }
2: { subject:"CN=Example Root CA", issuer:"CN=Example Root CA", .. }
Extract only leaf and intermediate:
pem-select certs.pem 0-1 | pem-select certs.pem --listExample output:
0: { subject:"CN=example.com", issuer:"CN=Example Intermediate CA", .. }
1: { subject:"CN=Example Intermediate CA", issuer:"CN=Example Root CA", .. }
- Reads from a file or
stdin - Extracts only complete
CERTIFICATEPEM blocks - Accepts single indexes, inclusive ranges, and
all - Preserves selector order on output
- Supports descending ranges for reordering
- Preserves repeated selections
- Supports atomic in-place updates
- Certificate parsing for enriched
--listoutput (enabled by theparsingfeature, on by default)
cargo install --path .cargo build --releaseThe resulting binary will be available at:
./target/release/pem-selectpem-select [OPTIONS] [FILE] [SELECTORS]...FILE— Input file containing zero or more PEM certificate blocks. If omitted, the tool reads from standard input.SELECTORS— One or more certificate selectors:Nselects a single zero-based certificate indexA-Bselects an inclusive range of indexesallselects every discovered certificate
-l, --list— Print discovered certificate indexes (with optional summaries when built with theparsingfeature)-i, --in-place— Replace the input file with the selected certificates-h, --help— Show help-V, --version— Show version
pem-select certs.pem --listExample output:
0: { subject:"CN=example.com", issuer:"CN=Example Intermediate CA", .. }
1: { subject:"CN=Example Intermediate CA", issuer:"CN=Example Root CA", .. }
2: { subject:"CN=Example Root CA", issuer:"CN=Example Root CA", .. }
pem-select certs.pem 1pem-select certs.pem 0 2 4pem-select certs.pem 1-3cat certs.pem | pem-select allpem-select certs.pem --in-place 0-1pem-select certs.pem 2 0 1Produces certificates in the order:
2
0
1
- Certificate indexes are zero-based.
- Only complete blocks delimited by
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----are returned. - Incomplete trailing certificate data is ignored.
- The contents of PEM blocks are not validated.
Malformed or non-certificate data inside a
CERTIFICATEarmored text block will still be returned unchanged. - Output certificates are written in selector order.
- Ranges preserve direction, so
2-0emits indexes2, 1, 0. - Repeated selectors are preserved, so the same certificate may appear multiple times in output.
--in-placerequires a file path and cannot be used with standard input.
The command returns an error when:
--in-placeis used without an input file- no selectors are provided during extraction mode
- a selector is malformed
- an index or range is outside the number of discovered certificates
- the input file cannot be read or the output file cannot be written
Run tests with:
cargo testLicensed under the Apache License, Version 2.0. See LICENSE for details.