Field Reference

PEM Certificate Format Explained

PEM is the most common format for SSL certificates — a Base64-encoded DER certificate wrapped in header/footer lines. Learn what PEM is and how to work with PEM files.

PEM (Privacy Enhanced Mail) is the most common encoding format for SSL/TLS certificates. A PEM-encoded certificate is a Base64-encoded DER certificate wrapped between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- header/footer lines. Despite the name, PEM has nothing to do with email in modern usage — it's simply the de facto standard for distributing X.509 certificates as text files.

PEM Structure

A PEM certificate looks like this:

-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw
... (Base64-encoded DER bytes, 64 characters per line) ...
k9mO1/a5kLJHKFM5HBTlJOm5
-----END CERTIFICATE-----

The content between the headers is the DER (Distinguished Encoding Rules) binary format of the X.509 certificate, encoded as Base64. Whitespace and line breaks are ignored — the Base64 data is what matters.

Multiple Certificates in One File

PEM files can contain multiple certificates concatenated together. This is commonly used for certificate chains — the leaf certificate first, followed by any intermediates. Let's Encrypt's fullchain.pem is an example. You can paste a multi-certificate PEM into the decoder and each certificate will be decoded individually.

PEM File Extensions

PEM files use various extensions depending on context:

  • .pem — generic PEM file, could be a cert, key, or both
  • .crt or .cer — certificate file, usually PEM on Unix/Linux systems
  • .key — private key file (also usually PEM format)
  • .ca-bundle — CA bundle (multiple intermediate/root CAs)

The file extension doesn't change the actual format — a .crt file is usually PEM-encoded. Open it in a text editor to confirm: if it starts with -----BEGIN, it's PEM.

Converting From Other Formats to PEM

To convert a DER binary certificate (.der) to PEM:

openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

To convert a PKCS#12 bundle (.p12 / .pfx) to PEM:

openssl pkcs12 -in bundle.p12 -nokeys -out cert.pem

The alternative binary encoding is DER format — see that guide for when to use binary vs. PEM.

Ready to inspect a certificate?

Use the free decoder to decode any PEM certificate and see all fields including pem certificate format explained.

Decode a Certificate