A PEM file is a Base64-encoded text file that stores cryptographic data - including SSL/TLS certificates, private keys, and certificate signing requests. PEM stands for Privacy Enhanced Mail, a name from its origins in securing email, though today it functions as the standard file format for SSL/TLS certificate management across virtually every web server and operating system. The file's contents are enclosed between -----BEGIN [TYPE]----- and -----END [TYPE]----- markers, which identify exactly what kind of cryptographic data is stored inside.
System administrators, developers, and security engineers work with PEM files when setting up HTTPS connections, configuring email encryption, implementing client authentication, and converting certificates between formats.
What Exactly Is a PEM File?
A PEM file is a portable, text-based container for cryptographic keys and certificates encoded in Base64 ASCII format. The format was standardized by the Internet Engineering Task Force in RFC 7468, which defines the textual encoding rules for PKIX, PKCS, and CMS structures - the building blocks of modern SSL/TLS infrastructure.
PEM originally stood for Privacy Enhanced Mail, referring to the 1993 IETF standards (RFC 1421–1424) that defined encrypted email for the internet. Although those email standards were eventually replaced by PGP and S/MIME, the Base64 text encoding format they introduced became the de facto standard for cryptographic data storage and is now used across web servers, cloud platforms, and programming languages worldwide.
The key characteristics of a PEM file:
- Starts with -----BEGIN [LABEL]----- and ends with -----END [LABEL]-----
- Contents are Base64-encoded binary data (DER format underneath)
- Human-readable as raw text; requires decoding tools to interpret the cryptographic values
- Portable across Windows, Linux, and macOS without modification
- Can store multiple cryptographic objects in a single file by stacking BEGIN/END blocks
The label inside the file (CERTIFICATE, PRIVATE KEY, RSA PRIVATE KEY, CERTIFICATE REQUEST) is more accurate than the .pem file extension alone. A single .pem file can contain almost anything Base64-encoded - from a single certificate to an entire chain plus a private key.
Also Read: What is SMIME.p7s: How to Open It?
What Can a PEM File Contain?
A PEM file is a container, not a fixed format. Depending on the use case, it can hold one or more of the following components.
- Public Key A public key contains the mathematical values used to encrypt data or verify digital signatures. Public keys are distributed openly - they are embedded in certificates and shared with anyone who needs to send encrypted data. Stored alone in PEM format, the public key uses the PUBLIC KEY
- Private Key A private key is the confidential counterpart to a public key. It decrypts data and creates digital signatures. Private keys stored in PEM files can be unencrypted (PRIVATE KEY label) or encrypted with a passphrase (ENCRYPTED PRIVATE KEY label). Always store private keys encrypted; an unprotected private key in plain text represents a serious security exposure.
- SSL/TLS Certificate A digital certificate binds a public key to a verified identity - your domain name, organization, or server. Certificate authorities sign these certificates to validate authenticity. In PEM format, the CERTIFICATE label is used, and multiple certificates (such as an intermediate and root chain) can be stacked in the same file.
- Certificate Signing Request (CSR) A CSR contains the information submitted to a certificate authority when requesting a signed certificate: your domain name, organization, country, and the public key. The CA uses this to issue your certificate. In PEM format, it uses the CERTIFICATE REQUEST
- Encrypted Private Key For production environments, private keys should always be encrypted with a passphrase before being stored. The encrypted form uses the ENCRYPTED PRIVATE KEY label and requires the passphrase to decrypt before the key can be used by a server or application.
How Do PEM Files Differ from .key, .crt, .csr, and .p12 Formats?
Different tools and servers expect different file formats. The table below covers the most common formats you will encounter and how they compare to PEM.
| Format | Encoding | Can Contain | Common Use |
| .pem | Base64 ASCII | Keys, certificates, CSRs, chains | Apache, Nginx, Linux servers |
| .key | Binary DER | Public or private key only | Legacy key storage |
| .crt | Binary DER | Certificate only | Windows, some web servers |
| .csr | Base64 ASCII | Certificate signing request | Submitted to a CA for signing |
| .p12 / .pfx | Binary PKCS#12 | Private key + certificate (one pair) | Windows, Java applications |
| .der | Binary DER | Single certificate or key | Windows, Java, Android |
The most practical distinction: .pem files use readable text encoding and can hold multiple components. Binary formats like .der, .crt, and .p12 are not human-readable and are typically tied to specific platforms or application types. Apache and Nginx require PEM format; Windows Server and Java applications typically prefer .p12 or .der. When switching between environments, you will almost always be converting to or from PEM.
How to Create a PEM File Using OpenSSL
OpenSSL is the standard open-source toolkit for generating and working with PEM files. It is available on Linux, macOS, and Windows. The steps below produce a private key, a self-signed certificate, and a bundled PEM file - the most common workflow for development environments and internal server configurations.
Step 1: Generate the private key
openssl genrsa -out private.key 2048
This generates a 2048-bit RSA private key and saves it to private.key. Use 4096-bit for higher-security environments.
Step 2: Generate a self-signed certificate
openssl req -new -x509 -key private.key -out certificate.crt -days 365
OpenSSL will prompt you for your country, organization name, and domain (Common Name). The -days 365 flag sets the certificate validity period. For CA-signed certificates, skip this step and create a CSR instead (Step 3 variant below).
Step 3: Convert the private key and certificate to PEM format
# Convert private key to PEM openssl rsa -in private.key -out private.pem # Convert certificate to PEM openssl x509 -in certificate.crt -out certificate.pem
Both files now use PEM encoding with the appropriate BEGIN/END headers.
Step 4 (optional): Bundle into a single PEM file
cat private.pem certificate.pem > bundle.pem
Some applications - such as HAProxy and certain API clients - expect a single PEM file containing both the private key and certificate. Others, like Apache and Nginx, require them in separate files. Check your application's documentation before bundling.
To create a CSR instead of a self-signed certificate:
openssl req -new -key private.key -out request.csr
Submit the resulting .csr file to your certificate authority. They return a signed certificate in PEM format, which you then install on your server.
How to View and Inspect a PEM File
PEM files are plain text, so any text editor can open them - but the Base64 content is not meaningful to the human eye. To read the actual certificate or key details, you need to decode it.
Viewing raw contents
Open the file in any text editor (Notepad on Windows, nano or vim on Linux, TextEdit on macOS). You will see the BEGIN/END headers and Base64-encoded data. The header label tells you what type of data the file contains - that alone can confirm whether you have the right file before trying to decode it.
Decoding with OpenSSL
The OpenSSL CLI decodes PEM content into human-readable output showing all fields:
# Read a certificate openssl x509 -in certificate.pem -noout -text # Read a private key openssl rsa -in private.pem -noout -text # Verify a CSR openssl req -in request.csr -noout -text
The -noout flag suppresses the Base64 output so only the decoded fields appear. You will see the certificate's subject, issuer, validity dates, public key details, and signature algorithm.
Matching a certificate to its private key
When troubleshooting SSL configuration errors, you often need to confirm that a certificate and private key belong together. Run both commands and compare the modulus values:
openssl x509 -noout -modulus -in certificate.pem | openssl md5 openssl rsa -noout -modulus -in private.pem | openssl md5
Matching hashes confirm a valid pair. Mismatched hashes mean the files do not correspond and the server will throw an error on startup.
Parsing with PHP
php
$key = openssl_pkey_get_private(file_get_contents('private.pem'));
print_r($key);
$cert = openssl_x509_parse(file_get_contents('certificate.pem'));
print_r($cert);
How to Open PEM Files on Windows, Linux, and Mac
On Windows
Double-click a .pem file to open it in Notepad and view the raw Base64 contents. For certificates, double-clicking imports them into the Windows certificate store under "Other People." The CertUtil command-line tool displays certificate details in readable form:
certutil -dump certificate.pem
Install OpenSSL for Windows (via Chocolatey or the official Win32/Win64 OpenSSL installer) for full key management capabilities.
On Linux
Text editors like nano and vim open .pem files directly. The OpenSSL CLI handles all inspection, conversion, and verification tasks natively. On Red Hat-based distributions, the certutil tool (from the nss-tools package) provides an alternative for certificate parsing. If .pem files do not open automatically, associate the extension with your preferred text editor in system Preferences.
To quickly check which type of data a PEM file contains without decoding it, run:
head -1 yourfile.pem
The first line shows the BEGIN header label.
On Mac
Use TextEdit to open and view .pem file contents directly. Install OpenSSL via Homebrew for key operations:
brew install openssl
Import PEM certificates into Keychain Access for system-level trust. The macOS Security framework provides native API support for reading PEM-encoded certificates in applications.
How to Convert Between PEM and Other Certificate Formats
Converting between certificate formats is a routine task when moving between servers, operating systems, or certificate authorities. All conversions below use the OpenSSL CLI, which handles the encoding differences internally. According to IETF RFC 7468's textual encoding specification, PEM's Base64 wrapping is intentionally designed so that DER-encoded binary structures can be converted to and from PEM without data loss.
DER/binary certificate → PEM:
openssl x509 -inform der -in certificate.crt -out certificate.pem
PEM certificate → DER/binary:
openssl x509 -outform der -in certificate.pem -out certificate.crt
PKCS#12 (.p12/.pfx) → PEM:
openssl pkcs12 -in certificate.p12 -out certificate.pem -nodes
PEM → PKCS#12:
openssl pkcs12 -export -out certificate.p12 -inkey private.key -in certificate.pem -certfile morecerts.pem
PKCS#8 private key → PKCS#1 PEM:
openssl pkcs8 -topk8 -in private.key -out private.pem
PKCS#1 PEM → PKCS#8:
openssl rsa -in private.pem -out private8.key
Platform reference: Apache and Nginx use PEM natively. Windows Server prefers .p12. Java applications use JKS (Java KeyStore), which requires an additional conversion step using the keytool command. Programming languages including Python, PHP, Ruby, and Node.js all include standard libraries for loading PEM-encoded keys and certificates without conversion.
Final Thoughts
PEM files are the standard format for storing and transferring cryptographic data in SSL/TLS environments. They work across every major operating system because Base64 encoding removes the platform-specific binary formatting differences that make other formats incompatible. OpenSSL provides all the commands needed to create, inspect, convert, and verify PEM files at every stage of certificate management - from generating a private key to bundling a full certificate chain for deployment.
Understanding which component each PEM file contains (check the BEGIN header), how to verify that a certificate and key pair match (compare modulus hashes), and when to convert to platform-specific formats like .p12 or .der covers the practical scenarios most administrators encounter. For ongoing certificate hygiene, the most common OpenSSL commands reference covers the full range of key and certificate operations beyond what is covered here.
Frequently Asked Questions
What does PEM stand for in a PEM file?
PEM stands for Privacy Enhanced Mail. The name comes from a series of IETF standards from 1993 (RFC 1421–1424) that defined a secure email format. Those email standards were eventually replaced by S/MIME and PGP, but the Base64 text encoding they introduced became the standard format for storing and transmitting cryptographic data in SSL/TLS and PKI systems.
What encoding does a PEM file use?
PEM files use Base64 ASCII encoding. Underneath the Base64 layer, the data is typically in DER (Distinguished Encoding Rules) binary format - a standard way of serializing ASN.1 data structures used throughout cryptography. Base64 encoding makes the binary data safe to transmit over text-based systems and readable in any text editor.
Can I edit the contents of a PEM file?
No. PEM files contain mathematically precise cryptographic data - modifying even a single character corrupts the key or certificate. If you need different content, generate new keys or certificates using OpenSSL rather than editing the existing file. You can safely add or remove entire BEGIN/END blocks from a bundle (for example, removing an intermediate certificate from a chain) as long as you preserve each block's formatting exactly.
Is it safe to open a PEM file in Notepad or a text editor?
Opening a PEM file in a text editor is safe for certificates and public keys. Do not open files containing private keys in plain text editors on shared or unsecured systems, as the full private key will be exposed in plaintext. Use OpenSSL to inspect private key files - it provides the details you need without displaying the sensitive key material unnecessarily.
What is the difference between PEM, DER, and CER formats?
PEM uses Base64 ASCII encoding and can hold multiple cryptographic objects. DER is binary encoding - the underlying format that PEM wraps in Base64. CER is typically a binary or Base64 certificate format common on Windows that usually contains a single X.509 certificate. The .pem file extension is most common on Linux/macOS servers; .cer and .der appear more frequently in Windows environments.
Why do some servers require separate PEM files while others accept a bundle?
Different applications parse PEM files differently. Nginx and Apache accept separate certificate and key files and specify each via dedicated configuration directives. HAProxy and some API clients require a single bundled PEM file because they read one file path. Java-based servers typically bypass PEM entirely and use JKS format. Always check the documentation for your specific server or client before deciding whether to bundle or separate your PEM components.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
