Quick Answer
A PEM file is a Base64-encoded text file used to store SSL certificates, private keys, certificate chains, and CSRs.
PEM stands for Privacy Enhanced Mail and is the most widely used certificate format for Apache, Nginx, Linux servers, cloud platforms, and SSL/TLS deployments.
A PEM file is identified by:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
or
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
PEM File at a Glance
| Feature | Details |
| Full Form | Privacy Enhanced Mail |
| Encoding | Base64 ASCII |
| Common Extension | .pem |
| Can Contain | Certificates, Private Keys, CSRs, Certificate Chains |
| Human Readable | Yes |
| Common Uses | SSL/TLS, HTTPS, Email Security |
| Supported Platforms | Windows, Linux, macOS |
| Standard | RFC 7468 |
What Exactly Is a PEM File?
A PEM file is a portable, text-based container for cryptographic keys and certificates encoded in Base64 ASCII format. The format was standardized by the Internet Engineering Task Force in RFC 7468, which defines the textual encoding rules for PKIX, PKCS, and CMS structures - the building blocks of modern SSL/TLS infrastructure.
PEM originally stood for Privacy Enhanced Mail, referring to the 1993 IETF standards (RFC 1421–1424) that defined encrypted email for the internet. Although those email standards were eventually replaced by PGP and S/MIME, the Base64 text encoding format they introduced became the de facto standard for cryptographic data storage and is now used across web servers, cloud platforms, and programming languages worldwide.
The key characteristics of a PEM file:
- Starts with -----BEGIN [LABEL]----- and ends with -----END [LABEL]-----
- Contents are Base64-encoded binary data (DER format underneath)
- Human-readable as raw text; requires decoding tools to interpret the cryptographic values
- Portable across Windows, Linux, and macOS without modification
- Can store multiple cryptographic objects in a single file by stacking BEGIN/END blocks
The label inside the file (CERTIFICATE, PRIVATE KEY, RSA PRIVATE KEY, CERTIFICATE REQUEST) is more accurate than the .pem file extension alone. A single .pem file can contain almost anything Base64-encoded - from a single certificate to an entire chain plus a private key.
Also Read: What is SMIME.p7s: How to Open It?
What Can a PEM File Contain?
A PEM file is a container, not a fixed format. Depending on the use case, it can hold one or more of the following components.
- Public Key A public key contains the mathematical values used to encrypt data or verify digital signatures. Public keys are distributed openly - they are embedded in certificates and shared with anyone who needs to send encrypted data. Stored alone in PEM format, the public key uses the PUBLIC KEY
- Private Key A private key is the confidential counterpart to a public key. It decrypts data and creates digital signatures. Private keys stored in PEM files can be unencrypted (PRIVATE KEY label) or encrypted with a passphrase (ENCRYPTED PRIVATE KEY label). Always store private keys encrypted; an unprotected private key in plain text represents a serious security exposure.
- SSL/TLS Certificate A digital certificate binds a public key to a verified identity - your domain name, organization, or server. Certificate authorities sign these certificates to validate authenticity. In PEM format, the CERTIFICATE label is used, and multiple certificates (such as an intermediate and root chain) can be stacked in the same file.
- Certificate Signing Request (CSR) A CSR contains the information submitted to a certificate authority when requesting a signed certificate: your domain name, organization, country, and the public key. The CA uses this to issue your certificate. In PEM format, it uses the CERTIFICATE REQUEST
- Encrypted Private Key For production environments, private keys should always be encrypted with a passphrase before being stored. The encrypted form uses the ENCRYPTED PRIVATE KEY label and requires the passphrase to decrypt before the key can be used by a server or application.
Common PEM Headers Explained
| PEM Header | Description | Typical Use |
| BEGIN CERTIFICATE | SSL/TLS certificate | HTTPS websites |
| BEGIN PRIVATE KEY | PKCS#8 private key | Modern applications |
| BEGIN RSA PRIVATE KEY | RSA private key | Legacy systems |
| BEGIN CERTIFICATE REQUEST | CSR file | SSL certificate requests |
| BEGIN PUBLIC KEY | Public key | Encryption & verification |
| BEGIN ENCRYPTED PRIVATE KEY | Password-protected private key | Production environments |
PEM vs CRT vs CER vs KEY vs PFX: What's the Difference?
| Format | Purpose | Encoding | Can Contain Private Key | Human Readable | Common Use |
| PEM | Certificates, keys, CSRs, chains | Base64 ASCII | Yes | Yes | Apache, Nginx, Linux servers |
| CRT | SSL/TLS certificate | DER or Base64 | No | Sometimes | Web servers, Windows |
| CER | X.509 certificate | DER or Base64 | No | Sometimes | Windows certificate store |
| KEY | Private or public key | DER or Base64 | Yes | Sometimes | SSL/TLS key storage |
| PFX / P12 | Certificate + Private Key | Binary PKCS#12 | Yes | No | Windows, IIS, Exchange |
The most practical distinction: .pem files use readable text encoding and can hold multiple components. Binary formats like .der, .crt, and .p12 are not human-readable and are typically tied to specific platforms or application types. Apache and Nginx require PEM format; Windows Server and Java applications typically prefer .p12 or .der. When switching between environments, you will almost always be converting to or from PEM.
How to Create a PEM File Using OpenSSL
OpenSSL is the standard open-source toolkit for generating and working with PEM files. It is available on Linux, macOS, and Windows. The steps below produce a private key, a self-signed certificate, and a bundled PEM file - the most common workflow for development environments and internal server configurations.
Step 1: Generate the private key
openssl genrsa -out private.key 2048
This generates a 2048-bit RSA private key and saves it to private.key. Use 4096-bit for higher-security environments.
Step 2: Generate a self-signed certificate
openssl req -new -x509 -key private.key -out certificate.crt -days 365
OpenSSL will prompt you for your country, organization name, and domain (Common Name). The -days 365 flag sets the certificate validity period. For CA-signed certificates, skip this step and create a CSR instead (Step 3 variant below).
Step 3: Convert the private key and certificate to PEM format
# Convert private key to PEM openssl rsa -in private.key -out private.pem # Convert certificate to PEM openssl x509 -in certificate.crt -out certificate.pem
Both files now use PEM encoding with the appropriate BEGIN/END headers.
Step 4 (optional): Bundle into a single PEM file
cat private.pem certificate.pem > bundle.pem
Some applications - such as HAProxy and certain API clients - expect a single PEM file containing both the private key and certificate. Others, like Apache and Nginx, require them in separate files. Check your application's documentation before bundling.
To create a CSR instead of a self-signed certificate:
openssl req -new -key private.key -out request.csr
Submit the resulting .csr file to your certificate authority. They return a signed certificate in PEM format, which you then install on your server.
How to View and Inspect a PEM File
PEM files are plain text, so any text editor can open them - but the Base64 content is not meaningful to the human eye. To read the actual certificate or key details, you need to decode it.
Viewing raw contents
Open the file in any text editor (Notepad on Windows, nano or vim on Linux, TextEdit on macOS). You will see the BEGIN/END headers and Base64-encoded data. The header label tells you what type of data the file contains - that alone can confirm whether you have the right file before trying to decode it.
Decoding with OpenSSL
The OpenSSL CLI decodes PEM content into human-readable output showing all fields:
# Read a certificate openssl x509 -in certificate.pem -noout -text # Read a private key openssl rsa -in private.pem -noout -text # Verify a CSR openssl req -in request.csr -noout -text
The -noout flag suppresses the Base64 output so only the decoded fields appear. You will see the certificate's subject, issuer, validity dates, public key details, and signature algorithm.
Matching a certificate to its private key
When troubleshooting SSL configuration errors, you often need to confirm that a certificate and private key belong together. Run both commands and compare the modulus values:
openssl x509 -noout -modulus -in certificate.pem | openssl md5 openssl rsa -noout -modulus -in private.pem | openssl md5
Matching hashes confirm a valid pair. Mismatched hashes mean the files do not correspond and the server will throw an error on startup.
Parsing with PHP
php
$key = openssl_pkey_get_private(file_get_contents('private.pem'));
print_r($key);
$cert = openssl_x509_parse(file_get_contents('certificate.pem'));
print_r($cert);
How to Open PEM Files on Windows, Linux, and Mac
On Windows
Double-click a .pem file to open it in Notepad and view the raw Base64 contents. For certificates, double-clicking imports them into the Windows certificate store under "Other People." The CertUtil command-line tool displays certificate details in readable form:
certutil -dump certificate.pem
Install OpenSSL for Windows (via Chocolatey or the official Win32/Win64 OpenSSL installer) for full key management capabilities.
On Linux
Text editors like nano and vim open .pem files directly. The OpenSSL CLI handles all inspection, conversion, and verification tasks natively. On Red Hat-based distributions, the certutil tool (from the nss-tools package) provides an alternative for certificate parsing. If .pem files do not open automatically, associate the extension with your preferred text editor in system Preferences.
To quickly check which type of data a PEM file contains without decoding it, run:
head -1 yourfile.pem
The first line shows the BEGIN header label.
On Mac
Use TextEdit to open and view .pem file contents directly. Install OpenSSL via Homebrew for key operations:
brew install openssl
Import PEM certificates into Keychain Access for system-level trust. The macOS Security framework provides native API support for reading PEM-encoded certificates in applications.
PEM vs DER vs PFX: What's the Difference?
| Feature | PEM | DER | PFX / P12 |
| Encoding | Base64 ASCII | Binary | Binary PKCS#12 |
| Human Readable | Yes | No | No |
| Can Store Certificate | Yes | Yes | Yes |
| Can Store Private Key | Yes | Yes | Yes |
| Can Store Certificate Chain | Yes | No | Yes |
| Password Protected | Optional | No | Yes |
| Best For | Linux, Apache, Nginx | Java, Android | Windows, IIS |
How to Convert Between PEM and Other Certificate Formats
Converting between certificate formats is a routine task when moving between servers, operating systems, or certificate authorities. All conversions below use the OpenSSL CLI, which handles the encoding differences internally. According to IETF RFC 7468's textual encoding specification, PEM's Base64 wrapping is intentionally designed so that DER-encoded binary structures can be converted to and from PEM without data loss.
DER/binary certificate → PEM:
openssl x509 -inform der -in certificate.crt -out certificate.pem
PEM certificate → DER/binary:
openssl x509 -outform der -in certificate.pem -out certificate.crt
PKCS#12 (.p12/.pfx) → PEM:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
PEM → PKCS#12:
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.pem -certfile morecerts.pem
PKCS#8 private key → PKCS#1 PEM:
openssl pkcs8 -topk8 -in private.key -out private.pem
PKCS#1 PEM → PKCS#8:
openssl rsa -in private.pem -out private8.key
Platform reference: Apache and Nginx use PEM natively. Windows Server prefers .p12. Java applications use JKS (Java KeyStore), which requires an additional conversion step using the keytool command. Programming languages including Python, PHP, Ruby, and Node.js all include standard libraries for loading PEM-encoded keys and certificates without conversion.
Common PEM File Errors and Fixes
| Error Message | Cause | Solution |
|---|---|---|
PEM routines:get_name:no start line |
Missing BEGIN/END header | Verify PEM formatting and ensure the file contains valid -----BEGIN----- and -----END----- markers. |
unable to load certificate |
Corrupted or invalid certificate | Re-export the certificate from the source or request a new certificate from the Certificate Authority. |
key values mismatch |
Certificate does not match private key | Compare certificate and private key modulus values to verify they belong to the same key pair. |
bad decrypt |
Incorrect passphrase | Enter the correct private key password or use the original passphrase used during key encryption. |
no certificate assigned |
Missing certificate chain | Install the complete certificate chain, including intermediate and root certificates if required. |
PEM Certificate Lifecycle
| Stage | File Type |
|---|---|
| Generate Key Pair | .key |
| Create CSR | .csr |
| Receive Certificate | .crt / .cer |
| Convert for Server Use | .pem |
| Export for Windows | .pfx / .p12 |
Which Certificate File Do You Need?
| If You Need To... | Use This File Type |
| Generate a private key | .key |
| Request an SSL certificate | .csr |
| Install a certificate on Apache or Nginx | .pem |
| Import into Windows IIS | .pfx / .p12 |
| Store a certificate only | .crt / .cer |
| Use Java or Android binary format | .der |
Final Thoughts
PEM files are the standard format for storing and transferring cryptographic data in SSL/TLS environments. They work across every major operating system because Base64 encoding removes the platform-specific binary formatting differences that make other formats incompatible. OpenSSL provides all the commands needed to create, inspect, convert, and verify PEM files at every stage of certificate management - from generating a private key to bundling a full certificate chain for deployment.
Understanding which component each PEM file contains (check the BEGIN header), how to verify that a certificate and key pair match (compare modulus hashes), and when to convert to platform-specific formats like .p12 or .der covers the practical scenarios most administrators encounter. For ongoing certificate hygiene, the most common OpenSSL commands reference covers the full range of key and certificate operations beyond what is covered here.
Frequently Asked Questions
What does PEM stand for in a PEM file?
PEM stands for Privacy Enhanced Mail. The name comes from a series of IETF standards from 1993 (RFC 1421–1424) that defined a secure email format. Those email standards were eventually replaced by S/MIME and PGP, but the Base64 text encoding they introduced became the standard format for storing and transmitting cryptographic data in SSL/TLS and PKI systems.
What encoding does a PEM file use?
PEM files use Base64 ASCII encoding. Underneath the Base64 layer, the data is typically in DER (Distinguished Encoding Rules) binary format - a standard way of serializing ASN.1 data structures used throughout cryptography. Base64 encoding makes the binary data safe to transmit over text-based systems and readable in any text editor.
Where are PEM files commonly used?
PEM files are commonly used for SSL/TLS certificates, HTTPS web servers, email encryption, VPNs, cloud platforms, and application authentication. Apache, Nginx, HAProxy, OpenSSL, and many Linux-based services use PEM as their default certificate format.
Can I edit the contents of a PEM file?
No. PEM files contain mathematically precise cryptographic data - modifying even a single character corrupts the key or certificate. If you need different content, generate new keys or certificates using OpenSSL rather than editing the existing file. You can safely add or remove entire BEGIN/END blocks from a bundle (for example, removing an intermediate certificate from a chain) as long as you preserve each block's formatting exactly.
Is it safe to open a PEM file in Notepad or a text editor?
Opening a PEM file in a text editor is safe for certificates and public keys. Do not open files containing private keys in plain text editors on shared or unsecured systems, as the full private key will be exposed in plaintext. Use OpenSSL to inspect private key files - it provides the details you need without displaying the sensitive key material unnecessarily.
What is the difference between PEM, DER, and CER formats?
PEM uses Base64 ASCII encoding and can hold multiple cryptographic objects. DER is binary encoding - the underlying format that PEM wraps in Base64. CER is typically a binary or Base64 certificate format common on Windows that usually contains a single X.509 certificate. The .pem file extension is most common on Linux/macOS servers; .cer and .der appear more frequently in Windows environments.
Why do some servers require separate PEM files while others accept a bundle?
Different applications parse PEM files differently. Nginx and Apache accept separate certificate and key files and specify each via dedicated configuration directives. HAProxy and some API clients require a single bundled PEM file because they read one file path. Java-based servers typically bypass PEM entirely and use JKS format. Always check the documentation for your specific server or client before deciding whether to bundle or separate your PEM components.
PEM-ready delivery
Your .pem is ready.
Now get a certificate browsers trust.
You've generated your private key and CSR in PEM format - the hard part is done. Submit that CSR to a trusted CA and get a signed SSL certificate delivered straight to your .pem bundle. No browser warnings. No self-signed red flags.
From $7.95/yr - Instant issuance
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
