Privacy Enhanced Mail, or as it is commonly known PEM, is a file format widely used for storing and transferring encrypted data, especially certificates and cryptographic keys. A file with .PEM extension acts as a container of encrypted data placed within.
PEM is the most common format to issue certificates. It encodes data using Base64, which makes it easier to be translated and understood by web servers. They actually can be opened and checked using a simple text editor like Notepad or VIM.
In an open-source system, a PEM file containing private keys can usually be recognized with its .key extension, whereas a PEM file containing certificates has a .cer, .crt, or .pem format.
What does a PEM file look like?
A private key within a PEM file will look like this:
-----BEGIN PRIVATE KEY----- MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCuaGs3MHEOUMvO v7QLx1cAgx7BDMHE0eq70/A+JZlYjDL7IAcoubgibfRWyEPombDF/TtnOzuYXuNT tkGVK+iOI3HbTgVANOrhIhTO91Vh3MDBftlNdzsYg4Ct/dZfvwGixgVfOza5nYcP SFJ5r89fre1EV/3QA3m+oPYimejcTCwEcByxxP7unmoxR9wJMYCmF3IOtRKGMhCn IbmIRwvaQ0yeCk9vh4WoZBbqJx4pVXmqz5D4IfDt2E41NiecWVoNHMTEF9xE2Few 3tPyfMMtqQH713DiVNmLBjHkJLK8a/ev2NjFMg8KTZ0hlVyaeBZDPz0iNk3iaeXf pspZ42kPAgMBAAECggEANcqEzufE5spqoaCkskFQBxtpv9bkaITp5fZvEWvdSN8s 1iFBtADb1tqc0qs/rpzAVcBNswAk2FDjwizjO1PojPZHpoEAw5XOn5M4YcEM93rz hHpQIUFV27CrXn58wNkTcxWqEH4d2c/JGSCQN3HO/s6Q8FRHNwHraa0RXQilNlRR OKSyDZTMyTOB0zBxXR5eJ1izXISgJVhL+UTb1VUj+XdhmSVqP45p2dhJWTyGHy6O taQDo7mUB+gTJzmLbFJxX2Hl50mh9R/Y3fLwGyg3uLBiibMq8ajFSPGgRTkdx+EY PjRuDHLZ2qSCwqrUUuI2X1qAaOyLI+hdjlMlz048QQKBgQDk6kC33UmLGQSO+kqz +j8Zh9lnEMU49Gfq0x4VZjnp9qzj9/8Cl+cOoAxcb1ZzQITvGf0ww85dhSPKh68x QSfefJRm1z6JVyjCVOUYWCN3XTxp7tZMXvSe0ED+HWw96EA8P83QqsMLlH6YkZLq as6K4R9iAtO14tIVoPeVAfZLYQKBgQDDCypU6A08aWyt9Bncfb6mUhheL7LFMRK9 fFxvWuSGLSeZ0hFjGGNJjIOcUUZvnXYTYmuYRrNnNtqY/UvB4ubWncbnU6HY/eZS ejWp2GDiU9yGfvGObwoRv7X5341LKR4KJcdsC5QoDl43mceQ5xjXnsECh/Lssm5E GLsWJ/z6bwKBgELtfliDeVIS0XNgGGFAhBxZzKVGkPMS+iL88Km/BqWx+mB4jHVc pjBveM25u6PctEEX7x/Hz9kl6Q34167l5ts0v0rGGcGb2w3eNlEEy/HFL7mlG8Ce bpTUPHxPa+s5sTYsTWd51abYFp9SyIqDCbovEbbdLrraAyRRuLE3LqRhAoGAQ7V5 kZYpGiLDDrRh0fB5IcX4HaJTXi9GAS/N6v5TvNyqFbUeQhdySFMWUUrJt++i0OHm 1isdFqStSFUOWpWJa1HEfgPDeM/TiChSvs6V+5v/P1WMR9T2WukBpGfd5gy1F/K7 gx+V5D3wqT6iUARZ1GiROm61f0QGEW/AatWg9dMCgYAAnR/QIVTUV+LuINT9lBUs v7lqQzo8wUC2Itn6nD3zmKiJb/lvA/jSZAXMGc3oqBS+ocznKrABp39MONj6Bp7l zvrNHuO8L5v7kK24snyyBfyizu03IbkHUOiIs5rXuD1N6fVG2XKQv9QsUm6NZp0o 1uGia9hksHK00QOXRhsGdA== -----END PRIVATE KEY-----
And a certificate within a PEM file will have a structure like:
-----BEGIN CERTIFICATE----- MIICLDCCAdKgAwIBAgIBADAKBggqhkjOPQQDAjB9MQswCQYDVQQGEwJCRTEPMA0G A1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2VydGlmaWNhdGUgYXV0aG9y aXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdudVRMUyBjZXJ0aWZpY2F0 ZSBhdXRob3JpdHkwHhcNMTEwNTIzMjAzODIxWhcNMTIxMjIyMDc0MTUxWjB9MQsw CQYDVQQGEwJCRTEPMA0GA1UEChMGR251VExTMSUwIwYDVQQLExxHbnVUTFMgY2Vy dGlmaWNhdGUgYXV0aG9yaXR5MQ8wDQYDVQQIEwZMZXV2ZW4xJTAjBgNVBAMTHEdu dVRMUyBjZXJ0aWZpY2F0ZSBhdXRob3JpdHkwWTATBgcqhkjOPQIBBggqhkjOPQMB BwNCAARS2I0jiuNn14Y2sSALCX3IybqiIJUvxUpj+oNfzngvj/Niyv2394BWnW4X uQ4RTEiywK87WRcWMGgJB5kX/t2no0MwQTAPBgNVHRMBAf8EBTADAQH/MA8GA1Ud DwEB/wQFAwMHBgAwHQYDVR0OBBYEFPC0gf6YEr+1KLlkQAPLzB9mTigDMAoGCCqG M49BAMCA0gAMEUCIDGuwD1KPyG+hRf88MeyMQcqOFZD0TbVleF+UsAGQ4enAiEA l4wOuDwKQa+upc8GftXE2C//4mKANBC6It01gUaTIpo= -----END CERTIFICATE-----
How to convert other certificate formats to PEM
The default format of the certificate you own differs depending on its provider or the way it was created. Most of the time, the certificate is a PEM file that can be used easily.
There will be cases where the certificate will be a file with a different format, such as P7B-PKCS#7, PFX-PKCS#12, or DER. In these cases, you need to convert the certificate into a PEM file. To do this, there are two options:
- To convert the file using an online tool, like SSL Converter from SSL Shopper
- To convert the certificate using OpenSSL commands
For the first path, you need to upload the file and let the website convert it automatically, while the second path needs special commands to be performed. Here are the commands to convert DER, P7B, and PFX files to PEM.
DER to PEM:
openssl x509 -inform der -in certificate.cer -out certificate.pem
P7B to PEM:
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
PFX to PEM:
openssl pkcs12 -in certname.pfx -nokeys -out certificate.pem openssl pkcs12 -in certname.pfx -nocerts -out private.key -nodes
Create a Trust Chain
For the SSL/TLS certificate to work properly, you need an SSL Certificate Trust Chain to be uploaded, instead of a simple certificate. This will let your website to be opened flawlessly in different browsers, under HTTPS protocol.
For more information, read ArvanCloud’s guide on creating a certificate trust chain.