What Is a PEM File?

This article explains what PEM files are used for, how to open one depending on the program or OS you're using, and how to convert one to a different certificate file format.

What Is a PEM File?

A PEM file is a Privacy Enhanced Mail Certificate file used to privately transmit email. The person receiving this email can be confident that the message wasn't altered during its transmission, wasn't shown to anyone else, and was sent by the person who claims to have sent it.

PEM files arose out of the complication of sending binary data through email. The PEM format encodes binary with base64 so that it exists as an ASCII string.

The PEM format has been replaced by newer and more secure technologies, but the PEM container is still used today to hold certificate authority files, public and private keys, root certificates, etc.

How to Open PEM Files

The steps for opening a PEM file are different depending on the application that needs it and the operating system you're using. However, you might need to convert your PEM file to CER or CRT in order for some of these programs to accept the file.

Windows

To import a CER or CRT file into Windows, start by opening Microsoft Management Console from the Run dialog box (use the Windows Key + R keyboard shortcut to enter mmc). From there, go to File > Add/Remove Snap-in... and select Certificates from the left column, and then the Add > button in the center of the window.

Choose Computer account on the following screen, and then move through the wizard, selecting Local computer when asked. Once "Certificates" is loaded under "Console Root," expand the folder and right-click Trusted Root Certification Authorities, and choose All Tasks > Import.

macOS

The same concept is true for your Mac email client as it is for a Windows one: use Safari to have the PEM file imported into Keychain Access.

You can also import SSL certificates through the File > Import Items menu in Keychain Access. Choose System from the drop-down menu and then follow the on-screen prompts.

If these methods don't work for importing the PEM file into macOS, you might try the following command (change "yourfile.pem" to be the name and location of your specific PEM file):

security import yourfile.pem -k ~/Library/Keychains/login.keychain

Linux

Use this keytool command to view the contents of a PEM file on Linux:

keytool -printcert -file yourfile.pem

Follow these steps if you want to import a CRT file into Linux's trusted certificate authority repository (see the PEM to CRT conversion method in the next section below if you have a PEM file instead):

1. Navigate to /usr/share/ca-certificates/.

2. Create a folder there (for example, sudo mkdir /usr/share/ca-certificates/work).

3. Copy the .CRT file into that newly created folder. If you'd rather not do it manually, you can use this command instead: sudo cp yourfile.crt /usr/share/ca-certificates/work/yourfile.crt.

4. Make sure the permissions are set correctly (755 for the folder and 644 for the file).

5. Run the sudo update-ca-certificates command.

Firefox and Thunderbird

If the PEM file needs importing into a Mozilla email client like Thunderbird, you might have to first export the PEM file out of Firefox. Open the Firefox menu and choose Options. Go to Privacy & Security and find the Security section, and then use the View Certificates... button to open a list, from where you can select the one you need to export. Use the Backup... option to save it.

Then, in Thunderbird, open the menu and click or tap Options. Navigate to Advanced > Certificates > Manage Certificates > Your Certificates > Import. From the "File name:" section of the Import window, choose Certificate Files from the drop-down, and then find and open the PEM file.

To import the PEM file into Firefox, just follow the same steps you would to export one, but choose Import instead of the Backup... button. If you can't find the PEM file, make sure the "Filename" area of the dialog box is set to Certificate Files and not PKCS12 Files.

Java KeyStore

Stack Overflow has a thread about importing a PEM file into the Java KeyStore (JKS) if you need to do that. Another option that might work is to use this keyutil tool.

How to Convert a PEM File

Unlike most file formats that can be converted with a file conversion tool or website, you need to enter special commands against a particular program in order to convert the PEM file format to most other formats.

Convert PEM to PPK with PuTTYGen. Choose Load from the right side of the program, set the file type to be any file (*.*), and then browse for and open your PEM file. Choose Save private key to make the PPK file.

With OpenSSL (get the Windows version here), you can convert the PEM file to PFX with the following command:

openssl pkcs12 -inkey yourfile.pem -in yourfile.cert -export -out yourfile.pfx

If you have a PEM file that needs to be converted to CRT, like is the case with Ubuntu, use this command with OpenSSL:

openssl x509 -in yourfile.pem -inform PEM -out yourfile.crt

OpenSSL also supports converting .PEM to .P12 (PKCS#12, or Public Key Cryptography Standard #12), but append the ".TXT" file extension at the end of the file before running this command:

openssl pkcs12 -export -inkey yourfile.pem.txt -in yourfile.pem.txt -out yourfile.p12

See the Stack Overflow link above about using the PEM file with Java KeyStore if you want to convert the file to JKS, or this tutorial from Oracle to import the file into the Java truststore.

More Information on PEM

The data integrity feature of the Privacy Enhanced Mail Certificate format uses RSA-MD2 and RSA-MD5 message digests to compare a message before and after it's sent, to ensure that it hasn't been tampered with along the way.

At the beginning of a PEM file is a header that reads -----BEGIN [label]-----, and the end of the data is a similar footer like this: -----END [label]-----. The "[label]" section describes the message, so it might read PRIVATE KEY, CERTIFICATE REQUEST, or CERTIFICATE.

Here's an example:

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAMLgD0kAKDb5cFyP
jbwNfR5CtewdXC+kMXAWD8DLxiTTvhMW7qVnlwOm36mZlszHKvsRf05lT4pegiFM
9z2j1OlaN+ci/X7NU22TNN6crYSiN77FjYJP464j876ndSxyD+rzys386T+1r1aZ
aggEdkj1TsSsv1zWIYKlPIjlvhuxAgMBAAECgYA0aH+T2Vf3WOPv8KdkcJg6gCRe
yJKXOWgWRcicx/CUzOEsTxmFIDPLxqAWA3k7v0B+3vjGw5Y9lycV/5XqXNoQI14j
y09iNsumds13u5AKkGdTJnZhQ7UKdoVHfuP44ZdOv/rJ5/VD6F4zWywpe90pcbK+
AWDVtusgGQBSieEl1QJBAOyVrUG5l2234raSDfm/DYyXlIthQO/A3/LngDW
5/ydGxVsT7lAVOgCsoT+0L4efTh90PjzW8LPQrPBWVMCQQDS3h/FtYYd5lfz+FNL
9CEe1F1w9l8P749uNUD0g317zv1tatIqVCsQWHfVHNdVvfQ+vSFw38OORO00Xqs9
1GJrAkBkoXXEkxCZoy4PteheO/8IWWLGGr6L7di6MzFl1lIqwT6D8L9oaV2vynFT
DnKop0pa09Unhjyw57KMNmSE2SUJAkEArloTEzpgRmCq4IK2/NpCeGdHS5uqRlbh
1VIa/xGps7EWQl5Mn8swQDel/YP3WGHTjfx7pgSegQfkyaRtGpZ9OQJAa9Vumj8m
JAAtI0Bnga8hgQx7BhTQY4CadDxyiRGOGYhwUzYVCqkb2sbVRH9HnwUaJT7cWBY3
RnJdHOMXWem7/w==
-----END PRIVATE KEY-----

One PEM file can contain multiple certificates, in which case the "END" and "BEGIN" sections neighbor each other.

Still Can't Open the File?

One reason your file doesn't open in any of the ways described above is that you're not actually dealing with a PEM file. You might instead have a file that just uses a similarly spelled file extension. When that's the case, there isn't a necessity for the two files to be related or for them to work with the same software programs.

For example, PEF looks an awful lot like PEM but instead belongs to either the Pentax Raw Image file format or Portable Embosser Format. Follow that link to see how to open or convert PEF files, if that's what you really have.

The same could be said for many other file extensions like EPM, EMP, EPP, PES, PET...you get the idea. Just double-check the file extension to see that it actually reads ".pem" before considering that the methods above don't work.

If you're dealing with a KEY file, be aware that not all files that end in .KEY belongs in the format described on this page. They might instead be Software License Key files used when registering software programs like LightWave, or Keynote Presentation files created by Apple Keynote.