What Is a PEM File? Format, Contents, and How to Use One
If you've deployed an SSL certificate, set up SSH on AWS, or worked with OpenSSL, you've encountered PEM files. They're everywhere in the certificate and cryptography world — but the format itself is simple once you understand what's inside.
This guide explains what a PEM file is, what it can contain, how to read one, and how to create one.
What Is a PEM File?
PEM stands for Privacy Enhanced Mail — an old email security standard from the early 1990s that was never widely adopted for email but whose file format became the de facto standard for storing cryptographic objects.
A PEM file is a text file containing one or more Base64-encoded cryptographic objects (certificates, keys, CSRs) wrapped in ASCII header and footer lines:
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAJC1HiIAZAiIMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTIxMDA5MDkxMjMxWhcNMTMxMDA5MDkxMjMxWjBF
...
-----END CERTIFICATE-----
The header (-----BEGIN CERTIFICATE-----) tells you what type of object is inside. The body is the object encoded as Base64. The footer (-----END CERTIFICATE-----) closes it.
Key properties of PEM files:
- Plain text — you can open them in any text editor
- Base64 encoded — the binary cryptographic data is made safe for text transmission
- Human-identifiable — the header/footer tell you exactly what's inside
- Container format — a single
.pemfile can contain multiple objects (e.g., a certificate chain) - Typically use extensions:
.pem,.crt,.cer,.key,.pub,.ca-bundle
What Can a PEM File Contain?
The header line tells you exactly what object is inside. These are the most common:
SSL/TLS Certificates
-----BEGIN CERTIFICATE-----
... Base64-encoded X.509 certificate ...
-----END CERTIFICATE-----
Used for: web server certificates, intermediate CA certificates, root CA certificates.
Private Keys
-----BEGIN RSA PRIVATE KEY-----
... Base64-encoded PKCS#1 RSA private key ...
-----END RSA PRIVATE KEY-----
-----BEGIN PRIVATE KEY-----
... Base64-encoded PKCS#8 private key (any algorithm) ...
-----END PRIVATE KEY-----
-----BEGIN EC PRIVATE KEY-----
... Base64-encoded elliptic curve private key ...
-----END EC PRIVATE KEY-----
PKCS#1 format (RSA PRIVATE KEY) is RSA-specific. PKCS#8 format (PRIVATE KEY) is the newer, algorithm-agnostic format used by most modern tools.
Certificate Signing Requests (CSRs)
-----BEGIN CERTIFICATE REQUEST-----
... Base64-encoded PKCS#10 CSR ...
-----END CERTIFICATE REQUEST-----
Public Keys
-----BEGIN PUBLIC KEY-----
... Base64-encoded public key ...
-----END PUBLIC KEY-----
Certificate Chains
A PEM file can contain multiple objects concatenated together. A "full chain" file for an SSL certificate typically contains the leaf certificate followed by intermediate certificates:
-----BEGIN CERTIFICATE-----
... leaf certificate (your domain) ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... intermediate CA certificate ...
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... root CA certificate (sometimes omitted) ...
-----END CERTIFICATE-----
This is what Let's Encrypt's fullchain.pem looks like — the file Nginx and Apache use.
Certificate Revocation Lists (CRLs)
-----BEGIN X509 CRL-----
...
-----END X509 CRL-----
How to Read a PEM File
Method 1: Open in a text editor
PEM files are plain text. Open any .pem, .crt, or .key file in VS Code, Notepad, or any text editor. You'll see the Base64 content directly.
Method 2: Decode the certificate with OpenSSL
# View a certificate
openssl x509 -in certificate.pem -text -noout
# View just the subject and dates
openssl x509 -in certificate.pem -subject -dates -noout
# View a private key (PKCS#8)
openssl pkey -in private.key -text -noout
# View a CSR
openssl req -in request.csr -text -noout
Method 3: Identify the type from the header
You don't need OpenSSL to identify what's in a PEM file. The header tells you:
| Header | Content |
|---|---|
-----BEGIN CERTIFICATE----- |
X.509 certificate |
-----BEGIN RSA PRIVATE KEY----- |
RSA private key (PKCS#1) |
-----BEGIN PRIVATE KEY----- |
Private key (PKCS#8, any algorithm) |
-----BEGIN ENCRYPTED PRIVATE KEY----- |
Passphrase-protected private key |
-----BEGIN PUBLIC KEY----- |
Public key |
-----BEGIN CERTIFICATE REQUEST----- |
CSR |
-----BEGIN EC PRIVATE KEY----- |
Elliptic curve private key |
-----BEGIN OPENSSH PRIVATE KEY----- |
OpenSSH private key format |
Method 4: Use a browser-based decoder
Our PEM Decoder auto-detects the PEM type and formats the output. Paste any PEM content and get a human-readable breakdown of the certificate fields, key details, or CSR contents — without needing OpenSSL installed.
What Is an X.509 Certificate?
When a PEM file contains a certificate, that certificate follows the X.509 standard — an ITU-T standard defining the format of public key certificates.
An X.509 certificate contains:
| Field | Description | Example |
|---|---|---|
| Subject | The entity the cert identifies | CN=example.com, O=Acme Corp, C=US |
| Issuer | Who signed the certificate | CN=Let's Encrypt R3, O=Let's Encrypt |
| Serial Number | Unique ID from the CA | 03:a6:5e:a1:... |
| Valid From | Certificate start date | 2024-01-01 00:00:00 UTC |
| Valid To | Certificate expiry date | 2024-04-01 23:59:59 UTC |
| Public Key | The public key for this domain | RSA 2048-bit or EC P-256 key |
| Subject Alt Names | All hostnames the cert is valid for | DNS:example.com, DNS:www.example.com |
| Key Usage | What operations the key can perform | Digital Signature, Key Encipherment |
| CA Issuers URL | Where to download the intermediate cert | URL to issuing CA's cert |
| OCSP URL | Certificate revocation check endpoint | URL to OCSP responder |
| Signature | CA's digital signature over all fields | Ensures the cert wasn't tampered with |
The Subject Alternative Names (SANs) field is particularly important — modern browsers require all hostnames to be listed in SANs, not just the Common Name (CN).
How to Create a PEM File
From an existing certificate and key
If your CA returned your certificate in a different format, you may need to convert it:
# Convert DER (binary) to PEM
openssl x509 -in certificate.der -inform DER -out certificate.pem
# Convert PFX/P12 to PEM (extracts cert and key separately)
openssl pkcs12 -in bundle.pfx -clcerts -nokeys -out certificate.pem
openssl pkcs12 -in bundle.pfx -nocerts -nodes -out private.key
Generate a new self-signed PEM certificate
openssl req -x509 -newkey rsa:2048 -keyout private.key -out certificate.pem \
-days 365 -nodes \
-subj "/C=US/ST=California/O=Dev/CN=localhost" \
-addext "subjectAltName=DNS:localhost,IP:127.0.0.1"
This creates two files: private.key (your RSA private key in PEM format) and certificate.pem (the self-signed certificate in PEM format).
Combine a certificate chain into one file
Nginx and Apache often want a single file containing the full chain (leaf + intermediates):
cat certificate.pem intermediate.pem > fullchain.pem
Order matters: leaf certificate first, then intermediates, then root (root is often omitted since browsers already have it in their trust stores).
Create a PEM from a CSR after signing
If you generated a CSR, submitted it to a CA, and received your certificate back:
# The CA returns your certificate — it's already in PEM format
# Just make sure it ends with the correct header/footer
# Then combine with your private key for use in a web server:
cat private.key certificate.pem intermediate.pem > server_bundle.pem
Using PEM Files with SSH
AWS EC2, DigitalOcean Droplets, and most cloud providers use PEM files for SSH key authentication. When you create an instance and download a .pem key file, that file contains an RSA or ED25519 private key in PEM format.
Connect to a server using a PEM file
# Set correct permissions first (required — SSH rejects world-readable keys)
chmod 400 my-ec2-key.pem
# Connect
ssh -i my-ec2-key.pem ubuntu@ec2-1-2-3-4.compute.amazonaws.com
The -i flag specifies the identity file (private key). The server has the corresponding public key in its ~/.ssh/authorized_keys file.
Common SSH PEM errors
Permissions 0644 for 'key.pem' are too open — Fix with chmod 400 key.pem or chmod 600 key.pem.
WARNING: UNPROTECTED PRIVATE KEY FILE! — Same issue, wrong permissions.
Permission denied (publickey) — Either the wrong key file, the wrong username, or the public key isn't in the server's authorized_keys.
Extract the public key from a PEM private key
# RSA/EC key
ssh-keygen -y -f private.key > public.key
# Or using openssl
openssl rsa -in private.key -pubout -out public.key
PEM vs Other Certificate Formats
| Format | Extension | Encoding | Contains | Used By |
|---|---|---|---|---|
| PEM | .pem, .crt, .cer, .key |
Base64 (text) | Cert, key, chain, CSR | Apache, Nginx, OpenSSL, Let's Encrypt |
| DER | .der, .cer |
Binary | Single cert or key | Java (keytool), Windows, some hardware |
| PKCS#12 / PFX | .pfx, .p12 |
Binary | Cert + key + chain | Windows IIS, Tomcat, Azure, exportable bundles |
| PKCS#7 | .p7b, .p7c |
Base64 or binary | Cert chain (no private key) | Windows, Java, S/MIME |
| JKS | .jks |
Binary | Java KeyStore — certs + keys | Tomcat, Java applications |
The simplest rule:
- Working with Apache, Nginx, or OpenSSL → PEM
- Windows IIS or need to bundle cert + key together → PFX/P12
- Java application → JKS or DER
- Need to distribute a certificate chain without a private key → P7B or PEM chain
Our SSL Certificate Formats Explained post covers the conversions between these formats in detail.
Common PEM File Errors
PEM_read_bio_X509: no start line — The file doesn't start with a valid PEM header, or it's a binary (DER) file. Check that the first line is -----BEGIN ...-----.
No certificate or CRL found — OpenSSL can't find a certificate in the file. The header might say CERTIFICATE REQUEST (a CSR) when you need CERTIFICATE.
SSL_CTX_use_PrivateKey_file: PEM lib — The private key and certificate don't match, or the key file is corrupt. Use our Certificate Key Matcher to verify they're a pair.
bad decrypt — The private key is encrypted with a passphrase and the wrong passphrase was provided. Use openssl rsa -in encrypted.key -out decrypted.key to decrypt it interactively.
certificate has expired or is not yet valid — The current date is outside the certificate's validity window. Check openssl x509 -in cert.pem -dates -noout.
Instantly Decode PEM Files
Rather than running OpenSSL commands, use our browser-based tools:
- PEM Decoder — paste any PEM content to see the decoded fields
- SSL Certificate Decoder — full certificate details including SANs, fingerprints, and chain
- Certificate Decoder — auto-detects certificate type (PEM, DER, PFX)
- Convert PFX to PEM — convert a PFX bundle to separate PEM cert and key files
All tools run entirely in your browser — your certificate and key data are never sent to a server.
Summary
- A PEM file is a text file containing Base64-encoded cryptographic objects wrapped in
-----BEGIN/END-----headers - The header tells you exactly what the file contains: certificate, private key, CSR, or public key
- PEM is the default format for Apache, Nginx, OpenSSL, Let's Encrypt, and most cloud platforms
- A single PEM file can contain multiple objects (full certificate chain)
- For SSH on AWS/GCP/Azure, the downloaded
.pemfile contains your RSA private key — set permissions to 400 before use - X.509 is the standard defining the structure of certificates inside PEM files
- Convert to/from PEM using OpenSSL commands or our browser-based PEM Decoder and converters