What Is a PEM File?
A PEM file is a Privacy Enhanced Mail Certificate file used to privately transmit email. The person receiving this email can be confident that the message wasn’t altered during its transmission, wasn’t shown to anyone else, and was sent by the person who claims to have sent it. PEM files arose out of the complication of sending binary data through email. The PEM format encodes binary with base64 so that it exists as an ASCII string. The PEM format has been replaced by newer and more secure technologies, but the PEM container is still used today to hold certificate authority files, public and private keys, root certificates, etc.
How to Open PEM Files
The steps for opening a PEM file are different depending on the application that needs it and the operating system you’re using. However, you might need to convert your PEM file to CER or CRT in order for some of these programs to accept the file.
Windows
If you need the CER or CRT file in a Microsoft email client like Outlook, open it in Internet Explorer to have it automatically loaded into the proper database. The email client can automatically use it from there. To see which certificate files are loaded onto your computer, and to import ones manually, use Internet Explorer’s Tools menu to access Internet Options > Content > Certificates, like this: To import a CER or CRT file into Windows, start by opening Microsoft Management Console from the Run dialog box (use the Windows Key + R keyboard shortcut to enter mmc). From there, go to File > Add/Remove Snap-in… and select Certificates from the left column, and then the Add > button in the center of the window. Choose Computer account on the following screen, and then move through the wizard, selecting Local computer when asked. Once “Certificates” is loaded under “Console Root,” expand the folder and right-click Trusted Root Certification Authorities, and choose All Tasks > Import.
macOS
The same concept is true for your Mac email client as it is for a Windows one: use Safari to have the PEM file imported into Keychain Access. You can also import SSL certificates through the File > Import Items menu in Keychain Access. Choose System from the drop-down menu and then follow the on-screen prompts. If these methods don’t work for importing the PEM file into macOS, you might try the following command (change “yourfile.pem” to be the name and location of your specific PEM file):
Linux
Use this keytool command to view the contents of a PEM file on Linux: Follow these steps if you want to import a CRT file into Linux’s trusted certificate authority repository (see the PEM to CRT conversion method in the next section below if you have a PEM file instead):
Firefox and Thunderbird
If the PEM file needs importing into a Mozilla email client like Thunderbird, you might have to first export the PEM file out of Firefox. Open the Firefox menu and choose Options. Go to Privacy & Security and find the Security section, and then use the View Certificates… button to open a list, from where you can select the one you need to export. Use the Backup… option to save it. Then, in Thunderbird, open the menu and click or tap Options. Navigate to Advanced > Certificates > Manage Certificates > Your Certificates > Import. From the “File name:” section of the Import window, choose Certificate Files from the drop-down, and then find and open the PEM file. To import the PEM file into Firefox, just follow the same steps you would to export one, but choose Import instead of the Backup… button. If you can’t find the PEM file, make sure the “Filename” area of the dialog box is set to Certificate Files and not PKCS12 Files.
Java KeyStore
Stack Overflow has a thread about importing a PEM file into the Java KeyStore (JKS) if you need to do that. Another option that might work is to use this keyutil tool.
How to Convert a PEM File
Unlike most file formats that can be converted with a file conversion tool or website, you need to enter special commands against a particular program in order to convert the PEM file format to most other formats. Convert PEM to PPK with PuTTYGen. Choose Load from the right side of the program, set the file type to be any file (.), and then browse for and open your PEM file. Choose Save private key to make the PPK file. With OpenSSL (get the Windows version here), you can convert the PEM file to PFX with the following command: If you have a PEM file that needs to be converted to CRT, like is the case with Ubuntu, use this command with OpenSSL: OpenSSL also supports converting .PEM to .P12 (PKCS#12, or Public Key Cryptography Standard #12), but append the “.TXT” file extension at the end of the file before running this command: See the Stack Overflow link above about using the PEM file with Java KeyStore if you want to convert the file to JKS, or this tutorial from Oracle to import the file into the Java truststore.
More Information on PEM
The data integrity feature of the Privacy Enhanced Mail Certificate format uses RSA-MD2 and RSA-MD5 message digests to compare a message before and after it’s sent, to ensure that it hasn’t been tampered with along the way. At the beginning of a PEM file is a header that reads —–BEGIN [label]—–, and the end of the data is a similar footer like this: —–END [label]—–. The “[label]” section describes the message, so it might read PRIVATE KEY, CERTIFICATE REQUEST, or CERTIFICATE. Here’s an example: One PEM file can contain multiple certificates, in which case the “END” and “BEGIN” sections neighbor each other.
Still Can’t Open the File?
One reason your file doesn’t open in any of the ways described above is that you’re not actually dealing with a PEM file. You might instead have a file that just uses a similarly spelled file extension. When that’s the case, there isn’t a necessity for the two files to be related or for them to work with the same software programs. For example, PEF looks an awful lot like PEM but instead belongs to either the Pentax Raw Image file format or Portable Embosser Format. Follow that link to see how to open or convert PEF files, if that’s what you really have. The same could be said for many other file extensions like EPM, EMP, EPP, PES, PET…you get the idea. Just double-check the file extension to see that it actually reads “.pem” before considering that the methods above don’t work. If you’re dealing with a KEY file, be aware that not all files that end in .KEY belongs in the format described on this page. They might instead be Software License Key files used when registering software programs like LightWave, or Keynote Presentation files created by Apple Keynote.
Next, open a text editor, such as WordPad or Notepad, and paste the body of each certificate into a new text file. They should be in this order: Private Key, Primary Certificate, Intermediate Certificate, Root Certificate. Add starting and ending tags. They’ll look like this:
—–BEGIN CERTIFICATE —– and —–END CERTIFICATE —– Finally, save the file as your_domain.pem.
