Software & Apps File Types What Is a PEM File? How to open, edit, and convert PEM files by Tim Fisher General Manager, VP, Lifewire.com Tim Fisher has 30+ years' professional technology support experience. He writes troubleshooting content and is the General Manager of Lifewire. our editorial process Facebook Twitter LinkedIn Tim Fisher Updated on June 29, 2020 reviewed by Ryan Perian Lifewire Tech Review Board Member Ryan Perian is a certified IT specialist who holds numerous IT certifications and has 12+ years' experience working in the IT industry support and management positions. our review board Article reviewed on May 10, 2020 Ryan Perian File Types Design Cryptocurrency MS Office Windows Linux Google Drive Apps File Types Backup & Utilities View More Tweet Share Email What to Know A PEM file is a Privacy Enhanced Mail Certificate file.Open one with the program or operating system that requires the file (they all work a bit differently).Convert to PPK, PFX, or CRT with a command or special converter. This article explains what PEM files are used for, how to open one depending on the program or OS you're using, and how to convert one to a different certificate file format. What Is a PEM File? A PEM file is a Privacy Enhanced Mail Certificate file used to privately transmit email. The person receiving this email can be confident that the message wasn't altered during its transmission, wasn't shown to anyone else, and was sent by the person who claims to have sent it. PEM files arose out of the complication of sending binary data through email. The PEM format encodes binary with base64 so that it exists as an ASCII string. The PEM format has been replaced by newer and more secure technologies but the PEM container is still used today to hold certificate authority files, public and private keys, root certificates, etc. Some files in the PEM format might instead use a different file extension, like CER or CRT for certificates, or KEY for public or private keys. How to Open PEM Files The steps for opening a PEM file are different depending on the application that needs it and the operating system you're using. However, you might need to convert your PEM file to CER or CRT in order for some of these programs to accept the file. Windows If you need the CER or CRT file in a Microsoft email client like Outlook, open it in Internet Explorer to have it automatically loaded into the proper database. The email client can automatically use it from there. To see which certificate files are loaded onto your computer, and to import ones manually, use Internet Explorer's Tools menu to access Internet Options > Content > Certificates, like this: Personal Certificates (Windows 8). To import a CER or CRT file into Windows, start by opening Microsoft Management Console from the Run dialog box (use the Windows Key + R keyboard shortcut to enter mmc). From there, go to File > Add/Remove Snap-in... and select Certificates from the left column, and then the Add > button in the center of the window. Adding the Certificates Snap-in (Windows 10). Choose Computer account on the following screen, and then move through the wizard, selecting Local computer when asked. Once "Certificates" is loaded under "Console Root," expand the folder and right-click Trusted Root Certification Authorities, and choose All Tasks > Import. macOS The same concept is true for your Mac email client as it is for a Windows one: use Safari to have the PEM file imported into Keychain Access. You can also import SSL certificates through the File > Import Items menu in Keychain Access. Choose System from the drop-down menu and then follow the on-screen prompts. Importing Items in Keychain Access (macOS High Sierra). If these methods don't work for importing the PEM file into macOS, you might try the following command (change "yourfile.pem" to be the name and location of your specific PEM file): security import yourfile.pem -k ~/Library/Keychains/login.keychain Linux Use this keytool command to view the contents of a PEM file on Linux: keytool -printcert -file yourfile.pem Follow these steps if you want to import a CRT file into Linux's trusted certificate authority repository (see the PEM to CRT conversion method in the next section below if you have a PEM file instead): Navigate to /usr/share/ca-certificates/. Create a folder there (for example, sudo mkdir /usr/share/ca-certificates/work). Copy the .CRT file into that newly created folder. If you'd rather not do it manually, you can use this command instead: sudo cp yourfile.crt /usr/share/ca-certificates/work/yourfile.crt. Make sure the permissions are set correctly (755 for the folder and 644 for the file). Run the sudo update-ca-certificates command. Firefox and Thunderbird If the PEM file needs importing into a Mozilla email client like Thunderbird, you might have to first export the PEM file out of Firefox. Open the Firefox menu and choose Options. Go to Privacy & Security and find the Security section, and then use the View Certificates... button to open a list, from where you can select the one you need to export. Use the Backup... option to save it. Then, in Thunderbird, open the menu and click or tap Options. Navigate to Advanced > Certificates > Manage Certificates > Your Certificates > Import. From the "File name:" section of the Import window, choose Certificate Files from the drop-down, and then find and open the PEM file. To import the PEM file into Firefox, just follow the same steps you would to export one, but choose Import instead of the Backup... button. If you can't find the PEM file, make sure the "Filename" area of the dialog box is set to Certificate Files and not PKCS12 Files. Java KeyStore Stack Overflow has a thread about importing a PEM file into the Java KeyStore (JKS) if you need to do that. Another option that might work is to use this keyutil tool. How to Convert a PEM File Unlike most file formats that can be converted with a file conversion tool or website, you need to enter special commands against a particular program in order to convert the PEM file format to most other formats. Convert PEM to PPK with PuTTYGen. Choose Load from the right side of the program, set the file type to be any file (*.*), and then browse for and open your PEM file. Choose Save private key to make the PPK file. With OpenSSL (get the Windows version here), you can convert the PEM file to PFX with the following command: openssl pkcs12 -inkey yourfile.pem -in yourfile.cert -export -out yourfile.pfx If you have a PEM file that needs to be converted to CRT, like is the case with Ubuntu, use this command with OpenSSL: openssl x509 -in yourfile.pem -inform PEM -out yourfile.crt OpenSSL also supports converting .PEM to .P12 (PKCS#12, or Public Key Cryptography Standard #12), but append the ".TXT" file extension at the end of the file before running this command: openssl pkcs12 -export -inkey yourfile.pem.txt -in yourfile.pem.txt -out yourfile.p12 See the Stack Overflow link above about using the PEM file with Java KeyStore if you want to convert the file to JKS, or this tutorial from Oracle to import the file into the Java truststore. More Information on PEM The data integrity feature of the Privacy Enhanced Mail Certificate format uses RSA-MD2 and RSA-MD5 message digests to compare a message before and after it's sent, to ensure that it hasn't been tampered with along the way. At the beginning of a PEM file is a header that reads -----BEGIN [label]-----, and the end of the data is a similar footer like this: -----END [label]-----. The "[label]" section describes the message, so it might read PRIVATE KEY, CERTIFICATE REQUEST, or CERTIFICATE. Here's an example: -----BEGIN PRIVATE KEY-----MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMLgD0kAKDb5cFyPjbwNfR5CtewdXC+kMXAWD8DLxiTTvhMW7qVnlwOm36mZlszHKvsRf05lT4pegiFM9z2j1OlaN+ci/X7NU22TNN6crYSiN77FjYJP464j876ndSxyD+rzys386T+1r1aZaggEdkj1TsSsv1zWIYKlPIjlvhuxAgMBAAECgYA0aH+T2Vf3WOPv8KdkcJg6gCReyJKXOWgWRcicx/CUzOEsTxmFIDPLxqAWA3k7v0B+3vjGw5Y9lycV/5XqXNoQI14jy09iNsumds13u5AKkGdTJnZhQ7UKdoVHfuP44ZdOv/rJ5/VD6F4zWywpe90pcbK+AWDVtusgGQBSieEl1QJBAOyVrUG5l2234raSDfm/DYyXlIthQO/A3/LngDW5/ydGxVsT7lAVOgCsoT+0L4efTh90PjzW8LPQrPBWVMCQQDS3h/FtYYd5lfz+FNL9CEe1F1w9l8P749uNUD0g317zv1tatIqVCsQWHfVHNdVvfQ+vSFw38OORO00Xqs91GJrAkBkoXXEkxCZoy4PteheO/8IWWLGGr6L7di6MzFl1lIqwT6D8L9oaV2vynFTDnKop0pa09Unhjyw57KMNmSE2SUJAkEArloTEzpgRmCq4IK2/NpCeGdHS5uqRlbh1VIa/xGps7EWQl5Mn8swQDel/YP3WGHTjfx7pgSegQfkyaRtGpZ9OQJAa9Vumj8mJAAtI0Bnga8hgQx7BhTQY4CadDxyiRGOGYhwUzYVCqkb2sbVRH9HnwUaJT7cWBY3RnJdHOMXWem7/w==-----END PRIVATE KEY----- One PEM file can contain multiple certificates, in which case the "END" and "BEGIN" sections neighbor each other. Still Can't Open the File? One reason your file doesn't open in any of the ways described above is that you're not actually dealing with a PEM file. You might instead have a file that just uses a similarly spelled file extension. When that's the case, there isn't a necessity for the two files to be related or for them to work with the same software programs. For example, PEF looks an awful lot like PEM but instead belongs to either the Pentax Raw Image file format or Portable Embosser Format. Follow that link to see how to open or convert PEF files, if that's what you really have. The same could be said for many other file extensions like EPM, EMP, EPP, PES, PET...you get the idea. Just double-check the file extension to see that it actually reads ".pem" before considering that the methods above don't work. If you're dealing with a KEY file, be aware that not all files that end in .KEY belongs in the format described on this page. They might instead be Software License Key files used when registering software programs like LightWave, or Keynote Presentation files created by Apple Keynote.