PEM File | Convert & Use PEM for SSL, Keys, and Certificates

How to Create PEM File?

PEM files play a critical role in website security and encrypted communications. Whether you're managing HTTPS certificates, setting up secure email, or working with APIs, understanding how to create and use PEM files is essential for developers and system administrators alike.

This guide explains what a PEM file is, how to create one, how to convert other formats to PEM using OpenSSL, and how to correctly configure trust chains for SSL/TLS.

What Is a PEM File?

PEM stands for Privacy Enhanced Mail, and it’s a Base64-encoded format for storing and sharing cryptographic keys, SSL/TLS certificates, and certificate chains. PEM files are widely used on Linux, UNIX, and other open systems due to their human-readable format and compatibility with tools like OpenSSL, Apache, and Nginx.

A typical PEM file may contain one or more of the following:

  • Private Key

  • Public Certificate

  • Certificate Authority (CA) Certificates

  • Complete Certificate Chains

Common PEM File Extensions

File Type Common Extensions


Private Key .pem, .key


Certificate .pem, .crt, .cer
Full Chain .pem, .chain.pem

PEM File Structure Examples

Private Key in PEM:

-----BEGIN PRIVATE KEY-----
(Base64 encoded data)
-----END PRIVATE KEY-----

Certificate in PEM:

-----BEGIN CERTIFICATE-----
(Base64 encoded data)
-----END CERTIFICATE-----

How to Create a PEM File Manually

To create a PEM file manually, you can copy the contents of your private key and certificate into a single .pem file. For example:

  1. cat private.key certificate.crt > mydomain.pem

Or, for a full chain including the intermediate and root certificates:

  1. cat private.key certificate.crt intermediate.crt root.crt > fullchain.pem

This file can now be used in various applications like Nginx, Apache, HAProxy, and Postfix.

How to Convert Other Certificate Formats to PEM

If your certificate comes in a different format such as DER (.der or .cer), P7B (.p7b), or PFX (.pfx), you can convert it using OpenSSL, a widely-used open-source toolkit.

✅ Convert DER to PEM

  1. openssl x509 -inform der -in certificate.cer -out certificate.pem

✅ Convert P7B to PEM

  1. openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

✅ Convert PFX (PKCS#12) to PEM

  1. # Extract certificate only
openssl pkcs12 -in certname.pfx -nokeys -out certificate.pem

# Extract private key only
openssl pkcs12 -in certname.pfx -nocerts -out private.key -nodes

Creating a Complete SSL Trust Chain in PEM

For your SSL certificate to work reliably across browsers, you need a complete certificate chain, which includes:

  1. Server Certificate (issued to your domain)

  2. Intermediate Certificate(s) (from CA)

  3. Root Certificate (from CA)

To combine them into a single PEM file:

cat certificate.crt intermediate.crt root.crt > fullchain.pem

This is especially important when configuring web servers or proxies that require a full trust chain for client-side validation.

Where Are PEM Files Used?

  • Web servers (Nginx, Apache)

  • Load balancers (HAProxy, AWS ELB)

  • Mail servers (Postfix, Exim)

  • VPN tools (OpenVPN)

  • API integrations (Auth, SDKs, HTTPS clients)

  • Kubernetes TLS secrets

  • GitHub Actions or CI/CD secrets

Tools to Help You Convert or Create PEM Files

Troubleshooting Tips

  • If a PEM file doesn’t work, check for missing -----BEGIN / -----END lines.

  • Ensure you copy the entire Base64 content without spaces or line breaks.

  • Never share your private key in public repositories or over unencrypted channels.

    • Related Articles

    • How to Export Chained Certificate from Browser?

      Exporting a Chained Certificate from Browsers Learn how to obtain a chained SSL certificate using Mozilla Firefox or Google Chrome. Follow these steps for each browser: Mozilla Firefox Open your website in Firefox. Click the lock icon beside the URL ...

    • How to Export and Import a Private Key?

      Exporting a Private Key from Windows Server To export a private key, you must create a .pfx file using the following steps: 1. Create an MMC Snap-in Right-click the Start button and select Run. Type mmc and press OK. In the MMC window, go to File > ...

    • Time To First Byte (TTFB).

      Understanding Time To First Byte (TTFB) TTFB stands for "Time To First Byte," referring to the time it takes from the moment a browser sends an HTTP request to a server until the first byte of data is received. This duration includes DNS lookup and ...

    • How To Check Website Speed?

      Understanding Website Speed Testing and Optimization The loading time of a website is crucial for attracting visitors and achieving success in an online business. Faster load times lead to better search engine rankings, higher conversion rates, lower ...

    • DMARC Record and Configuration in VergeCloud User Panel

      DMARC, which stands for Domain-based Message Authentication, Reporting, and Conformance, is a crucial email authentication protocol provided by VergeCloud. It leverages two existing mechanisms, SPF (Sender Policy Framework) and DKIM (DomainKeys ...