X.509 Certificate Private Key
Detects X.509 certificate private key PEM headers. This is a broad pattern covering RSA, EC, PKCS#8, and OpenSSH private key formats. This pattern is based on a Microsoft Purview built-in sensitive information type. For more specific detection, see global-rsa-private, global-ec-private, global-pkcs8-private, and global-openssh-private.
- Type
- regex
- Engine
- universal
- Confidence
- high
- Confidence justification
- High confidence: PEM private key headers are highly distinctive markers with minimal false positive risk. The BEGIN PRIVATE KEY format is a well-defined standard. Added context gating and exclusion rules improve precision and reduce incidental matches.
- Detection quality
- Verified
- Jurisdictions
- global
- Regulations
- Criminal Code Act 1995 (Cth)
- Frameworks
- CIS Controls, ISO 27001, NIST CSF, PCI-DSS, SOC 2
- Data categories
- credentials, security
- Scope
- specific
- Risk rating
- 10
- Platform compatibility
- Purview: Compatible, GCP DLP: Compatible, Macie: Compatible, Zscaler: Compatible, Palo Alto: Compatible, Netskope: Compatible
Pattern
-----BEGIN\s+(RSA\s+|EC\s+|OPENSSH\s+|DSA\s+|ENCRYPTED\s+)?PRIVATE\s+KEY-----Corroborative evidence keywords
private key, certificate, X.509, PEM, key file, SSL, TLS, encryption, api key, api_key, apikey, access key, access token, auth token, authorization, bearer, conn str, connection string, connectionstring, cookie (+44 more)
Proximity: 300 characters
Should match
-----BEGIN RSA PRIVATE KEY-----— RSA private key header-----BEGIN PRIVATE KEY-----— PKCS#8 private key header-----BEGIN EC PRIVATE KEY-----— EC private key header
Should not match
-----BEGIN PUBLIC KEY-----— Public key header, not private-----BEGIN CERTIFICATE-----— Certificate, not private keytemplate example placeholder record identifier— Template/sample context should be excluded even when anchor words are present
Known false positives
- Documentation and tutorials showing private key format examples without actual key material. Mitigation: Check if the content following the header contains actual Base64-encoded key data.
- Encrypted private keys (BEGIN ENCRYPTED PRIVATE KEY) that require a passphrase. Mitigation: Still flag encrypted keys as they reveal the presence of key material and may be decryptable.