What Is a PEM File?

How to open, edit, and convert PEM files

What to Know

  • A PEM file is a Privacy Enhanced Mail Certificate file.
  • Open one with the program or operating system that requires the file (they all work a bit differently).
  • Convert to PPK, PFX, or CRT with a command or special converter.

This article explains what PEM files are used for, how to open one depending on the program or OS you're using, and how to convert one to a different certificate file format.

What Is a PEM File?

A PEM file is a Privacy Enhanced Mail Certificate file used to privately transmit email. The person receiving this email can be confident that the message wasn't altered during its transmission, wasn't shown to anyone else, and was sent by the person who claims to have sent it.

PEM files arose out of the complication of sending binary data through email. The PEM format encodes binary with base64 so that it exists as an ASCII string.

The PEM format has been replaced by newer and more secure technologies, but the PEM container is still used today to hold certificate authority files, public and private keys, root certificates, etc.

Some files in the PEM format might instead use a different file extension, like CER or CRT for certificates, or KEY for public or private keys.

How to Open PEM Files

The steps for opening a PEM file are different depending on the application that needs it and the operating system you're using. However, you might need to convert your PEM file to CER or CRT in order for some of these programs to accept the file.


To import a CER or CRT file into Windows, start by opening Microsoft Management Console from the Run dialog box (use the Windows Key + R keyboard shortcut to enter mmc). From there, go to File > Add/Remove Snap-in... and select Certificates from the left column, and then the Add > button in the center of the window.

Screenshot of the Certificates MMC Snap-in in Windows 10

Choose Computer account on the following screen, and then move through the wizard, selecting Local computer when asked. Once "Certificates" is loaded under "Console Root," expand the folder and right-click Trusted Root Certification Authorities, and choose All Tasks > Import.


The same concept is true for your Mac email client as it is for a Windows one: use Safari to have the PEM file imported into Keychain Access.

You can also import SSL certificates through the File > Import Items menu in Keychain Access. Choose System from the drop-down menu and then follow the on-screen prompts.

Screenshot of the Keychain Access menu items option
Importing Items in Keychain Access (macOS High Sierra).

If these methods don't work for importing the PEM file into macOS, you might try the following command (change "yourfile.pem" to be the name and location of your specific PEM file):

security import yourfile.pem -k ~/Library/Keychains/login.keychain


Use this keytool command to view the contents of a PEM file on Linux:

keytool -printcert -file yourfile.pem

Follow these steps if you want to import a CRT file into Linux's trusted certificate authority repository (see the PEM to CRT conversion method in the next section below if you have a PEM file instead):

  1. Navigate to /usr/share/ca-certificates/.

  2. Create a folder there (for example, sudo mkdir /usr/share/ca-certificates/work).

  3. Copy the .CRT file into that newly created folder. If you'd rather not do it manually, you can use this command instead: sudo cp yourfile.crt /usr/share/ca-certificates/work/yourfile.crt.

  4. Make sure the permissions are set correctly (755 for the folder and 644 for the file).

  5. Run the sudo update-ca-certificates command.

Firefox and Thunderbird

If the PEM file needs importing into a Mozilla email client like Thunderbird, you might have to first export the PEM file out of Firefox. Open the Firefox menu and choose Options. Go to Privacy & Security and find the Security section, and then use the View Certificates... button to open a list, from where you can select the one you need to export. Use the Backup... option to save it.

Then, in Thunderbird, open the menu and click or tap Options. Navigate to Advanced > Certificates > Manage Certificates > Your Certificates > Import. From the "File name:" section of the Import window, choose Certificate Files from the drop-down, and then find and open the PEM file.

To import the PEM file into Firefox, just follow the same steps you would to export one, but choose Import instead of the Backup... button. If you can't find the PEM file, make sure the "Filename" area of the dialog box is set to Certificate Files and not PKCS12 Files.

Java KeyStore

Stack Overflow has a thread about importing a PEM file into the Java KeyStore (JKS) if you need to do that. Another option that might work is to use this keyutil tool.

How to Convert a PEM File

Unlike most file formats that can be converted with a file conversion tool or website, you need to enter special commands against a particular program in order to convert the PEM file format to most other formats.

Convert PEM to PPK with PuTTYGen. Choose Load from the right side of the program, set the file type to be any file (*.*), and then browse for and open your PEM file. Choose Save private key to make the PPK file.

With OpenSSL (get the Windows version here), you can convert the PEM file to PFX with the following command:

openssl pkcs12 -inkey yourfile.pem -in yourfile.cert -export -out yourfile.pfx

If you have a PEM file that needs to be converted to CRT, like is the case with Ubuntu, use this command with OpenSSL:

openssl x509 -in yourfile.pem -inform PEM -out yourfile.crt

OpenSSL also supports converting .PEM to .P12 (PKCS#12, or Public Key Cryptography Standard #12), but append the ".TXT" file extension at the end of the file before running this command:

openssl pkcs12 -export -inkey yourfile.pem.txt -in yourfile.pem.txt -out yourfile.p12

See the Stack Overflow link above about using the PEM file with Java KeyStore if you want to convert the file to JKS, or this tutorial from Oracle to import the file into the Java truststore.

More Information on PEM

The data integrity feature of the Privacy Enhanced Mail Certificate format uses RSA-MD2 and RSA-MD5 message digests to compare a message before and after it's sent, to ensure that it hasn't been tampered with along the way.

At the beginning of a PEM file is a header that reads -----BEGIN [label]-----, and the end of the data is a similar footer like this: -----END [label]-----. The "[label]" section describes the message, so it might read PRIVATE KEY, CERTIFICATE REQUEST, or CERTIFICATE.

Here's an example:


One PEM file can contain multiple certificates, in which case the "END" and "BEGIN" sections neighbor each other.

Still Can't Open the File?

One reason your file doesn't open in any of the ways described above is that you're not actually dealing with a PEM file. You might instead have a file that just uses a similarly spelled file extension. When that's the case, there isn't a necessity for the two files to be related or for them to work with the same software programs.

For example, PEF looks an awful lot like PEM but instead belongs to either the Pentax Raw Image file format or Portable Embosser Format. Follow that link to see how to open or convert PEF files, if that's what you really have.

The same could be said for many other file extensions like EPM, EMP, EPP, PES, PET...you get the idea. Just double-check the file extension to see that it actually reads ".pem" before considering that the methods above don't work.

If you're dealing with a KEY file, be aware that not all files that end in .KEY belongs in the format described on this page. They might instead be Software License Key files used when registering software programs like LightWave, or Keynote Presentation files created by Apple Keynote.

  • How do I create a PEM file?

    The first step toward creating a PEM file is to download the certificates your certificate authority sent you. This will include an intermediate certificate, a root certificate, a primary certificate, and private key files. 

    Next, open a text editor, such as WordPad or Notepad, and paste the body of each certificate into a new text file. They should be in this order: Private Key, Primary Certificate, Intermediate Certificate, Root Certificate. Add starting and ending tags. They’ll look like this:

    -----BEGIN CERTIFICATE ----- and -----END CERTIFICATE -----


    Finally, save the file as your_domain.pem.

  • Is a PEM file the same thing as a CRT file?

    No. PEM and CRT files are related; both file types represent different aspects of the key generation and verification process. PEM files are containers meant to verify and decrypt data that a server sends. A CRT (which stands for certificate) file represents a certificate signing request. CRT files are a way to verify ownership without private key access. CRT files contain the public key along with much more information.

Was this page helpful?