What Is a PEM File?

How to open, edit, and convert PEM files

PEM Files
PEM Files.

A file with the PEM file extension is a Privacy Enhanced Mail Certificate file used to privately transmit email. The person receiving this email can be confident that the message wasn't altered during its transmission, wasn't shown to anyone else, and was sent by the person who claims to have sent it.

The PEM format arose out of the complication of sending binary data through email. The PEM format encodes binary with base64 so that it exists as an ASCII string.

The PEM format has been replaced by newer and more secure technologies but the PEM container is still used today to hold certificate authority files, public and private keys, root certificates, etc.

Note: Some files in the PEM format might instead use a different file extension, like CER or CRT for certificates, or KEY for public or private keys.

How to Open PEM Files

The steps for opening a PEM file are different depending on the application that needs it and the operating system you're using. However, you might need to convert your PEM file to CER or CRT in order for some of these programs to accept the file.


If you need the CER or CRT file in a Microsoft email client like Outlook, open it in Internet Explorer to have it automatically loaded into the proper database. The email client can automatically use it from there.

To see which certificate files are loaded onto your computer, and to import ones manually, use Internet Explorer's Tools menu to access Internet Options > Content > Certificates.

To import a CER or CRT file into Windows, start by opening Microsoft Management Console from the Run dialog box (use the Windows Key + R keyboard shortcut to enter mmc). From there, go to File > Add/Remove Snap-in... and select Certificates from the left column, and then the Add > button in the center of the window.

Choose Computer account on the following screen, and then move through the wizard, selecting Local computer when asked.

Once "Certificates" is loaded under "Console Root," expand the folder and right-click Trusted Root Certification Authorities, and choose All Tasks > Import....


The same concept is true for your Mac email client as it is for a Windows one; use Safari to have the PEM file imported into Keychain Access.

You can also import SSL certificates through the File > Import Items... menu in Keychain Access. Choose System from the drop-down menu and then follow the on-screen prompts.

If these methods don't work for importing the PEM file into macOS, you might try the following command:

security import yourfile.pem -k ~/Library/Keychains/login.keychain


Use this keytool command to view the contents of a PEM file on Linux:

keytool -printcert -file yourfile.pem

Follow these steps if you want to import a CRT file into Linux's trusted certificate authority repository (see the PEM to CRT conversion method in the next section below if you have a PEM file instead):

  1. Navigate to /usr/share/ca-certificates/.
  2. Create a folder there (for example, sudo mkdir /usr/share/ca-certificates/work).
  1. Copy the .CRT file into that newly created folder. If you'd rather not do it manually, you can use this command instead: sudo cp yourfile.crt /usr/share/ca-certificates/work/yourfile.crt.
  2. Make sure the permissions are set correctly (755 for the folder and 644 for the file).
  3. Run the sudo update-ca-certificates command.

Firefox and Thunderbird

If the PEM file needs imported into a Mozilla email client like Thunderbird, you might have to first export the PEM file out of Firefox. Open the Firefox menu and choose Options. Go to Advanced > Certificates > View Certificates > Your Certificates and select the one you need to export, and then choose Backup....

Then, in Thunderbird, open the menu and click or tap Options. Navigate to Advanced > Certificates > Manage Certificates > Your Certificates > Import.... From the "File name:" section of the Import window, choose Certificate Files from the drop-down, and then find and open the PEM file.

To import the PEM file into Firefox, just follow the same steps you would to export one, but choose Import... instead of the Backup... button.

Java KeyStore

See this Stack Overflow thread on importing a PEM file into the Java KeyStore (JKS) if you need to do that. Another option that might work is to use this keyutil tool.

How to Convert a PEM File

Unlike most file formats that can be converted with a file conversion tool or website, you need to enter special commands against a particular program in order to convert the PEM file format to most other formats.

Convert PEM to PPK with PuTTYGen. Choose Load from the right side of the program, set the file type to be any file (*.*), and then browse for and open your PEM file. Choose Save private key to make the PPK file.

With OpenSSL (get the Windows version here), you can convert the PEM file to PFX with the following command:

openssl pkcs12 -inkey yourfile.pem -in yourfile.cert -export -out yourfile.pfx

If you have a PEM file that needs converted to CRT, like is the case with Ubuntu, use this command with OpenSSL:

openssl x509 -in yourfile.pem -inform PEM -out yourfile.crt

OpenSSL also supports converting .PEM to .P12 (PKCS#12, or Public Key Cryptography Standard #12), but append the ".TXT" file extension at the end of the file before running this command:

openssl pkcs12 -export -inkey yourfile.pem.txt -in yourfile.pem.txt -out yourfile.p12

See the Stack Overflow link above about using the PEM file with Java KeyStore if you want to convert the file to JKS, or this tutorial from Oracle to import the file into the Java truststore.

More Information on PEM

The data integrity feature of the Privacy Enhanced Mail Certificate format uses RSA-MD2 and RSA-MD5 message digests to compare a message before and after it's sent, to ensure that it hasn't been tampered with along the way.

At the beginning of a PEM file is a header that reads -----BEGIN [label]-----, and the end of the data is a similar footer like this: -----END [label]-----. The "[label]" section describes the message, so it might read PRIVATE KEY, CERTIFICATE REQUEST, or CERTIFICATE.

Here's an example:


One PEM file can contain multiple certificates, in which case the "END" and "BEGIN" sections neighbor each other.

Is Your File Still Not Opening?

One reason your file doesn't open in the ways described above is that you're not actually dealing with a PEM file. You might instead have a file that just uses a similarly spelled file extension. When that's the case, there isn't a necessity for the two files to be related or for them to work with the same software programs.

For example, PEF looks an awful lot like PEM but instead belongs to either the Pentax Raw Image file format or Portable Embosser Format. Follow that link to see how to open or convert PEF files, if that's what you really have.

If you're dealing with a KEY file, be aware that not all files that end in .KEY belong in the format described on this page. They might instead be Software License Key files used when registering software programs like LightWave, or Keynote Presentation files created by Apple Keynote.

If you're sure you have a PEM file but are having troubles opening or using it, see Get More Help for information about contacting me on social networks or via email, posting on tech support forums, and more. Let me know what kinds of problems you're having and I'll see what I can do to help.