How do I create fullchain.pem?

Concatenate your server certificate followed by the intermediate certificate(s) into one file. Example: 'cat cert.pem intermediate.pem > fullchain.pem'. The server certificate must appear first, then the chain.

How do I convert a PFX/P12 file to PEM?

Use OpenSSL. For a combined output: 'openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes'. To extract parts: '... -clcerts -nokeys -out cert.pem' for the certificate and '... -nocerts -out key.encrypted.pem' for the key, then decrypt with 'openssl rsa -in key.encrypted.pem -out privkey.pem'.

What PEM files does NGINX require?

NGINX typically needs two PEM files: 'ssl_certificate' pointing to fullchain.pem (server certificate + intermediates) and 'ssl_certificate_key' pointing to privkey.pem (the private key).

What PEM format does HAProxy expect?

HAProxy usually expects a single .pem bundle that includes the server certificate, the intermediate certificate(s), and the private key in one file, referenced by the 'crt' parameter.

How do I import a PEM certificate into AWS ACM?

AWS ACM requires three PEM blocks: the certificate body, an unencrypted private key, and the certificate chain. You can paste them in the console or use the CLI with '--certificate', '--private-key', and '--certificate-chain'.

How do I create a Kubernetes TLS secret from PEM files?

Prepare two PEM files: tls.crt (certificate, optionally with chain) and tls.key (matching private key). Create the secret with: 'kubectl create secret tls my-tls --cert=tls.crt --key=tls.key' and reference it in your Ingress.

How can I verify that a certificate and private key match?

Compare their moduli: 'openssl rsa -in privkey.pem -modulus -noout | openssl md5' and 'openssl x509 -in cert.pem -modulus -noout | openssl md5'. If the hashes match, the key and certificate belong together.

Why am I getting “unable to get local issuer certificate” after installing PEM files?

Your server is likely not serving the full chain. Rebuild a correct fullchain.pem by appending the intermediate certificate(s) after the server certificate, then reload your server.

How to Create .pem File for SSL Certificate Installation

Q: What is a PEM file in SSL/TLS?

A PEM file is a Base64-encoded, text-format container used to store certificates, private keys, and certificate chains for SSL/TLS. It includes BEGIN/END headers such as '-----BEGIN CERTIFICATE-----' and is widely supported by servers and cloud platforms.

Q: Are .cer or .crt files the same as PEM?

They can be. The extension doesn't guarantee encoding. Open the file in a text editor—if you see BEGIN/END headers and Base64 data, it is PEM; otherwise it may be DER and should be converted.

Secure communication on the web depends on SSL/TLS certificates — without them, browsers like Chrome, Firefox, and Edge can’t verify a website’s authenticity or encrypt sensitive data. While configuring HTTPS, one of the most common requirements across servers, load balancers, and cloud platforms is a PEM file. Whether you’re deploying a new SSL certificate, switching hosting providers, setting up a Kubernetes ingress, or importing certs into AWS ACM, chances are you’ll eventually need to create or convert files into .pem format.

Despite how often they appear in documentation, PEM files can be confusing. Are they the same as .crt or .cer? Do they contain just certificates, the private key, or both? Why do some systems require fullchain.pem and others expect a single .pem with certificate, chain, and key all in one file?

This guide explains exactly what PEM files are, why they’re used, and most importantly — how to create, convert, validate, and troubleshoot them for real-world SSL certificate installations. Whether you’re a web server admin, DevOps engineer, cloud architect, or simply installing an SSL cert on a hosting platform that asks for “PEM format,” this tutorial breaks down the essential steps and best practices you need to know.

Let’s start by understanding what a PEM file is and why it’s the industry standard for secure certificate handling across environments like NGINX, HAProxy, Apache, AWS, and Kubernetes.

What is a PEM File?

A PEM file is a text-based format for storing and transmitting cryptographic keys, certificates, and certificate chains. Rather than being a unique file type, PEM is a container format that uses Base64 encoding to represent binary data in a readable ASCII format. Each PEM file contains one or more blocks surrounded by recognizable boundary markers like:

PEM stands for Privacy Enhanced Mail, a protocol developed to secure emails in the early days of the internet. While its original use case faded, the PEM format itself became widely adopted for SSL/TLS certificates and is now the standard for web servers, load balancers, reverse proxies, DNS providers, DevOps platforms, and certificate authorities.

One of the main reasons for PEM’s popularity is its flexibility:

A single PEM file can contain multiple certificates (e.g., server + intermediate chain).
PEM can hold both a certificate and its associated private key.
It’s human-readable and can be opened and edited in a text editor.
It works seamlessly across popular platforms like Apache, NGINX, HAProxy, AWS ACM, Traefik, Kubernetes, and OpenSSL.

Compare that with other formats like DER (binary), PFX/P12 (encrypted archive), or JKS (Java keystore format), and it’s clear why PEM is often the required or preferred format in modern deployments.

In short: if you’re working with SSL certificates on Linux servers, cloud infrastructure, or containers — knowing how to construct and manipulate PEM files is essential.

Understanding SSL File Formats (CRT, CER, DER, PEM, PFX, etc.)

When dealing with SSL/TLS certificates, it’s common to encounter a variety of file formats, which can often lead to confusion—especially when you’re preparing a certificate for installation or migrating between different platforms. While all SSL certificates follow the X.509 standard, the way they’re stored and encoded varies depending on the operating system, server type, or certificate authority (CA). Understanding these formats is crucial for creating the correct .pem file for your setup.

Here’s a breakdown of the most common certificate formats and how they relate to each other:

PEM (.pem, .crt, .cer, .key)

PEM is a Base64-encoded, textual format used across most Unix/Linux-based systems. It’s the most common format for SSL certificates and private keys, especially on platforms like NGINX, Apache, HAProxy, and Kubernetes.

PEM files usually contain:

Public certificate: -----BEGIN CERTIFICATE-----
Private key: -----BEGIN PRIVATE KEY-----
Certificate chain: intermediate or root CA certificates

File extensions such as .pem, .crt, .cer, and .key are often PEM-encoded files—the content matters more than the extension.

DER (.der)

DER is a binary-encoded form of a certificate. It’s commonly used with Java platforms or Windows environments. A .cer file may be DER or PEM, so you should open it in a text editor to know for sure.

DER files will look like binary (non-readable) when opened.
Can be converted to PEM using OpenSSL.

CRT and CER (.crt, .cer)

These are often PEM or DER encoded certificates. While .crt is more common in Linux servers and .cer on Windows, the extension doesn’t inherently define the encoding.

To verify the encoding: open the file in a text editor. If it contains BEGIN CERTIFICATE, it’s PEM.
If it’s binary (non-readable), it’s likely DER.

PFX/P12 (.pfx, .p12)

PFX (also called PKCS#12) is a binary archive format that can bundle a certificate, private key, and full certificate chain in one file. It’s commonly used on Windows/IIS servers, Microsoft Azure, and some VPN appliances.

Requires a password to open or extract contents
Often needs to be converted into PEM format for Linux-based servers (e.g., NGINX, Apache)

JKS (.jks)

Java Keystore (JKS) is used specifically by Java applications like Tomcat, WebSphere, or certain microservice deployments. It stores certs and keys securely but isn’t directly compatible with PEM without conversion.

Key Takeaways Before Creating a PEM File:

Always inspect certificate contents before converting. Look for base64-encoded text vs binary.
Know what your platform expects. Some require a single combined PEM, others need separate .pem files for the private key, server certificate, and full chain.
OpenSSL can convert between almost any certificate format. If you can’t install a .crt or .pfx directly, convert it to a PEM.

Next, we’ll cover when and why you need specific PEM file types, depending on whether you’re using NGINX, Apache, Kubernetes, AWS ACM, or HAProxy.

When Do You Need PEM Files?

PEM files are required in many modern SSL/TLS deployments because they’re compatible with a wide range of tools, servers, and cloud platforms. As a result, the ability to correctly format, combine, and deploy PEM files has become an essential skill for system administrators, DevOps engineers, and cloud architects.

Depending on the platform or service you’re using, you may need to prepare one or more PEM files containing:

Just the server certificate
The server certificate plus intermediate certificates (known as the full chain)
The server certificate, intermediate certificate(s), and private key — all in one file

Below are some of the most common platforms and scenarios where PEM files are required, along with what type of PEM file they expect.

1. NGINX

NGINX requires two separate PEM files for SSL configuration:

ssl_certificate: Contains the server certificate followed by intermediate certificates (i.e., the full chain). This is often called fullchain.pem
ssl_certificate_key: Contains the private key in PEM format, typically called privkey.pem

These files are referenced in the server’s SSL block, for example:

If either file is missing or formatted incorrectly, NGINX will fail to start, or browsers will display a certificate validation error.

2. Apache

Like NGINX, Apache can accept certificates in PEM format, but its configuration is slightly more flexible. Apache allows:

Separate files for the server certificate, private key, and certificate chain
Or a combined PEM for the certificate and chain

Example configuration in Apache:

Apache won’t start properly unless the certificate and key match, and the full certificate chain is provided.

3. HAProxy

HAProxy expects a single PEM file that includes everything the SSL stack needs:

Certificate
Private key
Intermediate certificates

These must be concatenated in the correct order into one .pem file. This file is then passed to the crt parameter in HAProxy’s config:

If the private key or chain is missing from the PEM, HAProxy will either throw an error or break the SSL handshake for clients.

4. AWS Certificate Manager (ACM)

AWS ACM accepts imported certificates in PEM format only, and each file must be structured correctly:

Certificate body (-----BEGIN CERTIFICATE-----)
Private key (-----BEGIN PRIVATE KEY-----)
Certificate chain (if applicable)

AWS rejects encrypted private keys and improperly formatted PEM files. This is common when converting from PFX or unverified formats.

5. Kubernetes (TLS Secrets)

When you create a TLS secret in Kubernetes, you must provide two PEM-formatted files:

tls.crt — contains the certificate (optionally with chain)
tls.key — contains the private key

Example to create a TLS secret:

Incorrect formatting in either file will cause ingress controllers like NGINX Ingress or Traefik to throw errors.

6. Load Balancers, Mail Servers, DevOps Tools

Many other services also require PEM files, including:

Cloudflare Origin Certificates
Postfix and Dovecot (for SMTP/IMAP TLS)
Docker Swarm and Traefik reverse proxies
Envoy, OpenVPN, LDAP, and MQTT brokers

Key Insight

The core of PEM usage revolves around server compatibility and chain trust. Whether you’re creating a single .pem for HAProxy or building a fullchain.pem for NGINX, the goal is always the same: provide the server with the exact combination of certificate components it needs to complete a secure handshake with clients.

Creating PEM Files from Existing Certificates

Creating a PEM file for SSL certificate installation typically involves organizing or converting existing certificate materials into the correct format and structure expected by your server or platform. These materials often include:

A server certificate (e.g., yourdomain.crt or certificate.cer)
A private key (e.g., yourdomain.key)
One or more intermediate certificates, provided by the Certificate Authority (CA)

Depending on your environment, you may need to combine these into one .pem file, split them into multiple .pem files, or convert them from other formats such as .pfx or .der.

Below are detailed, step-by-step instructions for preparing PEM files from the most common certificate components.

1. Creating PEM Files from `.crt` and `.key` Files

When you receive a certificate from a trusted CA, you’ll usually get multiple files — such as a server certificate (.crt) and a matching private key (.key). To deploy this certificate in PEM format, you may need to:

Keep them separate (e.g., for NGINX or Apache)
Combine them into a single PEM file (e.g., for HAProxy)

First, check whether your .crt file is already in PEM format by opening it in a text editor. If it contains lines like:

then it’s already PEM-encoded. If not, you’ll need to convert it.

2. Creating `fullchain.pem` (Server + Intermediate Certificates)

Many servers (such as NGINX) require a fullchain.pem file that includes both the server’s certificate and one or more intermediate certificates. This helps the browser build a complete trust chain.

To create fullchain.pem, do the following:

Open your server certificate (cert.crt) in a text editor.
Open your intermediate certificate(s), often provided as intermediate.crt or ca-bundle.crt.
Create a new file called fullchain.pem.
Paste the server certificate first, then the intermediate certificate(s), one after the other.

Example:

Save and close the file. You now have a fullchain.pem.

3. Creating `privkey.pem` from a Private Key

If your private key is already in PEM format (contains -----BEGIN PRIVATE KEY-----), you can simply rename it to privkey.pem.

If it’s encrypted or in a different format, you’ll need to decrypt or convert it using OpenSSL:

To remove a passphrase from a private key:

You now have a decrypted privkey.pem suitable for server use.

4. Verifying a Certificate and Private Key Match

Before combining or deploying PEM files, it’s critical to ensure that the certificate and key match.

You can do this by comparing their modulus:

If the hash output matches, they correspond.

5. Combining Certificate and Key in a Single PEM

Some platforms (e.g., HAProxy, Postfix, some load balancers) require the certificate and private key to be combined into a single .pem file.

To create a combined .pem:

To also include the intermediate chain:

Note the order:

Certificate
Intermediate(s)
Private key

This structure is essential for compatibility.

6. Converting from Other Formats (Overview)

Many real-world scenarios involve converting from .pfx, .p12, .der, or .cer to .pem. This is common when migrating certificates between Windows IIS, Azure, and Linux servers.

For instance, to convert .pfx to .pem:

We’ll cover this in more detail in the next section: “Converting PFX/P12 to PEM with OpenSSL.”

Summary

By preparing or combining .crt, .cer, .key, and intermediate certificates into .pem format, you’re ensuring compatibility with a wide range of systems that use PEM-based certificate handling for HTTPS, reverse proxies, load balancers, and more. The exact PEM structure depends on your platform, but the content — certificates and private keys — are always the same.

Creating PEM Files for Specific Platforms

Once you’ve prepared your certificate and private key in PEM format, the next challenge is assembling and formatting them correctly for your specific platform or server environment. Different platforms require different file structures, naming conventions, or ordering of certificate materials. Misplacing even a single line in these files can result in SSL handshake errors, chain validation failures, or service downtime.

Below, we’ll walk through how to create and deploy PEM files for several common platforms including NGINX, Apache, HAProxy, AWS ACM, and Kubernetes. Each section includes real configuration examples and the exact PEM file format expected.

1. Creating PEM Files for NGINX

NGINX uses two separate PEM files for SSL configuration:

ssl_certificate
This must contain the server certificate and the intermediate certificates — combined in the correct chain order. This file is typically named fullchain.pem.
ssl_certificate_key
This must contain the private key in PEM format — often named privkey.pem.

Example folder layout:

NGINX configuration:

Important notes:

The fullchain.pem file must include your certificate first, followed by the required intermediate certificates.
If the intermediate certificate is missing or out of order, browsers may show errors such as NET::ERR_CERT_AUTHORITY_INVALID or unable to get local issuer certificate.

Once files are in place, restart NGINX:

To verify chain structure:

2. Creating a Single `.pem` File for HAProxy

Unlike NGINX, HAProxy requires a single PEM file that contains the following content in this exact order:

Server certificate
Intermediate certificate(s)
Private key

This single PEM file is referenced by the crt directive in HAProxy’s configuration.

Steps to build the .pem file:

HAProxy configuration example:

Notes:

If another tool (like Certbot) generated your certificate files, verify they’re in PEM format before concatenating.
If the PEM is misordered or missing a key, HAProxy will fail to start or terminate SSL with handshake errors.

Restart HAProxy when finished:

3. Preparing PEM Files for AWS Certificate Manager (ACM)

AWS ACM requires certificates to be imported in three separate blocks — but all blocks must be in PEM format. You cannot upload encrypted private keys or DER-based certificate files.

To import a certificate into AWS ACM, you must have:

Certificate body (your server certificate)
Private key (unencrypted)
Certificate chain (intermediate CA certificates)

How to upload via AWS CLI:

Key rules:

The private key must not be password protected.
The chain file should not include the root CA.

4. Creating TLS Secrets in Kubernetes (kubectl)

Kubernetes uses TLS secrets to supply SSL certificates to pods, ingresses, and other resources. These secrets require two PEM-formatted files:

tls.crt — contains the certificate (can optionally include the chain)
tls.key — contains the private key

Step 1: Prepare the PEM files

Step 2: Create the K8s secret

Sample Ingress configuration:

Ingress controllers like NGINX Ingress or Traefik will automatically use the PEM files stored in your Kubernetes secret to terminate TLS at the load balancer or ingress layer.

Additional Platforms That Use PEM Files

Platform / Tool	PEM Format Requirement
OpenVPN	Certificate + key + CA bundle
Envoy / Traefik	Separate cert and key in PEM
Docker Swarm Secrets	PEM-encoded cert and private key files
CloudFlare Origin Certs	Requires PEM-encoded private key + certificate

Converting PFX/P12 to PEM with OpenSSL

It’s common to receive SSL certificates in .pfx or .p12 format, especially when exporting from Windows servers like IIS or when a hosting provider delivers a bundled certificate. A .pfx (or .p12) file is a PKCS#12 archive format that contains the associated certificate, private key, and certificate chain — all in one password-protected file.

However, most Linux-based environments (like NGINX, Apache, or HAProxy) require files to be in PEM format, where the certificate, private key, and chain are stored in readable, separate, or concatenated .pem files. This is where OpenSSL comes into play.

Below are the step-by-step instructions with OpenSSL to convert .pfx or .p12 to PEM format, along with examples for extracting each part of the certificate bundle.

Extract Everything into a Single PEM File

If you want to extract both the private key and certificates into one file (combined PEM):

What this command does:

Converts the .pfx into a .pem
-nodes prevents the private key from being encrypted during export
Outputs a combined .pem containing:
- The private key
- The server certificate
- Any intermediate certificates

Extract Only the Certificate

To extract only the public certificate from the .pfx file:

This creates a clean certificate file without the private key.

Extract Only the Private Key

To extract the private key without the certificate:

If the key is encrypted and you’d prefer an unencrypted version:

This is often needed for platforms like AWS ACM, which do not accept encrypted private keys.

Extract the Certificate Chain

If you need to extract intermediate or root certificates from the .pfx file:

This generates a chain.pem file containing all the intermediate certificates. If these are bundled with the server certificate, remember to append them to fullchain.pem in the proper order (cert.pem first, chain.pem below it).

Splitting a Combined PEM File

If you accidentally used the -nodes flag and created a combined PEM file (with key + cert + chain all mixed together), you can manually split it by copying text blocks in a text editor.

Example separators:

Verifying the Certificate and Key Match

After extracting files, you should confirm that your key matches the certificate:

If the hashes match, the key and certificate belong together.

Why Convert from PFX?

Reason	Benefit
Migrate from IIS to NGINX/Apache	Required PEM format for SSL termination
Cloud imports (AWS, GCP, Azure)	Many cloud services accept only PEM-formatted files
Improved audit visibility	PEM files can be read and debugged directly in a text editor
Separate deployment contexts	PEM lets you split cert, key, chain into flexible sets

Validating and Troubleshooting Your PEM Files

After creating or converting your PEM files, it’s crucial to validate them before deploying to a live environment. Invalid or incomplete PEM files are one of the most common causes of SSL/TLS handshake errors, service downtime, and browser warnings such as NET::ERR_CERT_AUTHORITY_INVALID, SSL_ERROR_BAD_CERT_DOMAIN, or “The certificate chain was issued by an untrusted authority.”

These issues stem from mistakes like missing certificate chains, mismatched keys, incorrect file order, corrupted PEM headers, or even wrong file permissions. Fortunately, most of these problems can be solved or proactively prevented with some simple OpenSSL validation commands and proper debugging practices.

Below, we’ll walk through how to validate your PEM files and troubleshoot common errors that arise during installation.

Step 1: Confirm the PEM Encoding is Valid

Start by ensuring the PEM file is valid and readable:

If you see the certificate metadata (e.g., issuer, subject, serial number), the file is correctly formatted.

If the command returns errors, check for:

Corrupted BEGIN or END markers
Extra whitespace or line breaks
Incorrect line-ending format (Windows CRLF instead of Unix LF)

Step 2: Check if Certificate and Key Match

Before deploying, make sure the private key and certificate were generated or issued together. Use this command pair to match their modulus hashes:

If the output hashes match — you’re good. If not — the certificate and key do not belong together, and your server will reject the pairing during SSL handshake.

Step 3: Validate the Full Certificate Chain

To ensure the certificate was issued by a trusted CA, test chain verification:

This checks whether the certificate chains correctly to the CA. If you get an error like:

It means your chain.pem is missing one or more intermediate certificates.

Step 4: Full SSL Handshake Test

Once your certificate and key look correct, test the SSL handshake as a client would:

This command shows:

The certificate served by the server
Intermediate certificates sent during the handshake
Whether the chain is complete and trusted

Check for entries like:

If instead you see:

self signed certificate
certificate verify failed
unable to get local issuer certificate

Then your deployed PEM configuration is invalid or incomplete.

Step 5: Permission and Ownership Check (Linux Systems)

On Linux servers like NGINX or Apache, permissions are crucial. Always ensure:

Certificate and chain (.pem) files are readable by the web server process (usually nginx, www-data, or apache)
Private key files are readable only by root or the appropriate user (600 or 400 perms recommended)

Example:

Common PEM Troubleshooting Errors

Error Message/Behavior	Likely Cause	Fix
“No such file or directory” during reload	Wrong file path in config	Verify absolute path or copy file to proper location
`unable to get local issuer certificate`	Missing or incorrect intermediate certificate	Build and deploy complete `fullchain.pem`
“PEM routines:get_name:no start line”	Corrupted PEM headers or binary file content	Ensure proper `BEGIN CERTIFICATE` markers with LF endings
HAProxy fails to start	PEM missing private key or wrong order	Rebuild combined `.pem` in correct cert > chain > key order
AWS ACM import fails with “Encrypted private key”	Key extracted with passphrase	Use OpenSSL to decrypt key before upload
Kubernetes ingress not serving HTTPS	Misformatted `tls.crt` or `tls.key` files	Ensure both files are PEM-formatted and match

Pro Tip: Use `certbot certificates` or `acme.sh` to Inspect PEM Layouts

If you’re using Let’s Encrypt or other ACME clients, their built-in commands (like certbot certificates or acme.sh --info) can quickly show you how fullchain.pem and privkey.pem are structured, and where the default paths are located.

Troubleshooting PEM File Errors

Even when your certificate, private key, and intermediates are correct, small mistakes in PEM structure or deployment can trigger browser warnings, SSL handshake failures, and confusing server errors. Effective troubleshooting starts by recognizing patterns in the error messages and understanding how PEM parsing and chain building work on your target platform. The guidance below focuses on root causes, how to confirm them, and precise fixes for NGINX, Apache, HAProxy, AWS ACM, and Kubernetes.

1) “unable to get local issuer certificate” or chain validation failures

This message indicates the client cannot build a complete trust path from your server certificate to a trusted root. The usual culprit is a missing or misordered intermediate certificate. Some clients cache intermediates and appear to “work” while others fail, which makes this issue intermittent in testing and difficult to reproduce.

How to fix:

Rebuild a proper fullchain.pem that places your leaf certificate first, followed by the intermediate certificate(s) in order. Do not include the root CA unless your platform explicitly requires it.
Validate locally before redeploying:
- openssl verify -CAfile chain.pem cert.pem
- openssl s_client -connect domain:443 -servername domain -showcerts and confirm the server presents the leaf followed by intermediates.
If you manage multiple certs for different names, ensure the presented certificate matches the requested hostname via SNI (-servername flag in s_client).

2) “PEM routines:get_name:no start line” or parse errors

Servers and libraries expect exact ASCII armor boundaries and LF line endings. This error occurs when the file is not PEM at all (binary DER content), the armor markers are missing or misspelled, or the file contains extra characters inserted by copy/paste or text editors.

How to fix:

Open the file and confirm it contains clean blocks:
- -----BEGIN CERTIFICATE----- … -----END CERTIFICATE-----
- -----BEGIN PRIVATE KEY----- … -----END PRIVATE KEY-----
Convert binary DER to PEM if needed:
- openssl x509 -inform DER -in cert.der -out cert.pem
- openssl rsa -inform DER -in key.der -out key.pem
Normalize line endings to LF on Unix servers and remove trailing spaces or BOM markers.

3) Key–certificate mismatch during reload or handshake

Mismatched materials surface as “key values mismatch” or generic handshake failures. This happens when the private key used to generate the CSR does not correspond to the installed certificate.

How to fix:

Compare moduli:
- openssl rsa -in privkey.pem -modulus -noout | openssl md5
- openssl x509 -in cert.pem -modulus -noout | openssl md5
If hashes differ, locate the correct key or reissue the certificate from a new CSR and key pair. Avoid reusing keys of unknown origin.

4) Wrong concatenation order for platform-specific bundles

Order matters. NGINX expects ssl_certificate to include the leaf followed by intermediates; HAProxy expects a single .pem that typically contains the certificate(s) followed by the private key; some appliances want key first, then certificate. An incorrect order can cause silent failures or error logs that point to unrelated issues.

How to fix:

NGINX:
- fullchain.pem = leaf then intermediates
- privkey.pem = private key only
HAProxy:
- Single .pem with certificate, intermediate(s), then private key (most commonly)
- Bind with crt /path/bundle.pem
Apache:
- Either separate files for leaf and chain or a full chain file for SSLCertificateFile and a separate key for SSLCertificateKeyFile
Always consult your platform’s expected order and rebuild the PEM accordingly.

5) Encrypted private key rejected by services (e.g., AWS ACM)

If your key is protected with a passphrase, some services and automation workflows cannot import or read it. You may see import failures or startup prompts that block unattended reloads.

How to fix:

Decrypt the key locally and secure it with strict permissions:
- openssl rsa -in key.encrypted.pem -out privkey.pem
Restrict access:
- chmod 600 privkey.pem && chown root:root privkey.pem
Store the original encrypted key securely; deploy the unencrypted key only where required.

6) CRLF line endings or hidden characters from editors

Copying PEM blocks via web GUIs or word processors can introduce CRLF line endings, smart quotes, or invisible characters that break parsing.

How to fix:

Convert to LF:
- dos2unix file.pem or sed -i 's/\r$//' file.pem
Use a plain-text editor that preserves ASCII armor exactly (e.g., vim, nano, VS Code with LF).

7) Serving the wrong certificate due to SNI or path mistakes

If multiple virtual hosts or cert paths are configured, the server may present the wrong certificate for a hostname, leading to name mismatch errors even if the PEM is correct.

How to fix:

Confirm the server_name (NGINX) or ServerName/ServerAlias (Apache) matches the requested domain.
Verify which virtual host answers with:
- curl -Iv https://domain --resolve domain:443:IP
Check you aren’t referencing a stale path (e.g., old Let’s Encrypt directory). Ensure your automation updates the exact files used by the live configuration.

8) Permissions and SELinux/AppArmor denials

Web servers need read access to certificates and keys. Overly restrictive permissions or mandatory access control (MAC) rules can cause silent failures or “permission denied” in error logs.

How to fix:

Use minimal, correct permissions:
- Keys: 600, owned by root or the service user
- Certs/chain: 644 or 640, readable by the service
For SELinux:
- Place files under expected contexts or run restorecon -Rv /etc/nginx/ssl
- Check denials with ausearch -m avc -ts recent

9) Mixed intermediate chains or wrong CA bundle

Some CAs rotate intermediates or provide multiple chain options. Mixing intermediates from different chains can create a path that only some clients accept.

How to fix:

Download the current, recommended intermediate(s) from your CA.
Rebuild chain.pem with the correct sequence for your leaf.
Revalidate with openssl verify -CAfile chain.pem cert.pem and confirm with a live s_client test.

10) Kubernetes TLS secret issues

Ingress controllers require PEM-encoded tls.crt and tls.key that match. If the secret contains the wrong order or an extra root, TLS may fail at the edge.

How to fix:

Recreate the secret from known-good PEMs:
- kubectl delete secret my-tls && kubectl create secret tls my-tls --cert=tls.crt --key=tls.key
If your controller expects the full chain in tls.crt, append intermediates under the leaf.
Confirm the Ingress references the correct secretName and host.

11) HAProxy not loading the bundle

HAProxy requires the combined .pem to include the certificate and private key. Missing any component, or placing them in the wrong order, prevents TLS from initializing.

How to fix:

Rebuild with:
- cat cert.pem chain.pem privkey.pem > haproxy.pem
Point bind *:443 ssl crt /etc/haproxy/certs/haproxy.pem
Check logs on startup; use openssl s_client to verify the served chain.

12) Residual caches masking your changes

Browsers, CDNs, and TLS-terminating proxies cache certificate data. After fixing files, you might still see old errors.

How to fix:

Purge CDN and reverse proxy caches.
Restart or reload the service (systemctl reload nginx / apachectl graceful / systemctl restart haproxy).
Test in a fresh browser profile or with curl/OpenSSL to bypass browser cache.
Verify live presentation with:
- openssl s_client -connect domain:443 -servername domain -showcerts

13) Name mismatch or SAN issues unrelated to PEM layout

If your certificate’s Subject Alternative Name (SAN) does not include the requested host, the handshake will succeed but the client will reject the identity with a domain mismatch error.

How to fix:

Inspect SANs:
- openssl x509 -in cert.pem -noout -text | grep -A1 "Subject Alternative Name"
Reissue the certificate including all hostnames and wildcards required by your service.

Quick diagnostic sequence (practical checklist)

Use this fast path to isolate most PEM-related problems:

Inspect file structure and encoding:
- openssl x509 -in cert.pem -noout -text
- Confirm plain ASCII armor and LF line endings
Confirm key–cert pairing:
- Compare moduli of privkey.pem and cert.pem
Validate the chain offline:
- openssl verify -CAfile chain.pem cert.pem
Verify live presentation:
- openssl s_client -connect domain:443 -servername domain -showcerts
Check platform-specific expectations:
- NGINX: fullchain.pem + privkey.pem
- HAProxy: single .pem with cert + chain + key
- Apache: correct file directives for leaf, chain, key
Clear caches and reload services; confirm permissions and SELinux contexts.

By approaching PEM issues methodically—verifying encoding, pairing, chain order, platform expectations, and runtime permissions—you can resolve almost every certificate installation problem without guesswork. If an error persists after these checks, re-extract the materials from the original source (PFX or CA bundle), rebuild the PEM files from scratch, and revalidate with the same sequence.

FAQs (Frequently Asked Questions)

Below is a list of commonly asked questions about creating and using PEM files for SSL certificate installation. These responses are written to be clear and snippet-ready for search engines, while providing technical depth for developers and administrators.

What is a PEM file in SSL/TLS?

A PEM file is a Base64-encoded text file that contains cryptographic materials used for SSL/TLS, like certificates, private keys, and certificate chains. PEM files include clearly marked headers such as:

They are commonly used on Linux-based servers (NGINX, Apache, HAProxy) and cloud systems (AWS, Kubernetes).

How do I create a `fullchain.pem` file?

To create a fullchain.pem file, concatenate your server certificate and intermediate certificate(s) into one file using a text editor or command line.

Example command:

The order is important — server certificate first, then intermediate chain(s).

How do I create a PEM file from a .pfx file?

Use OpenSSL to extract the certificate, key, or both from a .pfx (or .p12) file:

This creates a PEM file containing both the private key and certificate(s). You may then split them into separate files if needed.

Can a PEM file contain both the certificate and private key?

Yes. Many platforms like HAProxy or Postfix require a single PEM file that includes:

The certificate
The intermediate chain (optional)
The private key

You can combine them with:

Why is my server showing “unable to get local issuer certificate”?

This error means the certificate chain is incomplete. The server is missing one or more intermediate certificates. Fix it by creating a proper full chain PEM (usually called fullchain.pem) and updating your server configuration to reference it.

Are `.cer` or `.crt` files the same as PEM?

Yes and no. The .cer and .crt extensions are not exclusive to PEM encoding — they can also contain binary DER-encoded data. You can check by opening the file in a text editor. If you see Base64-encoded blocks with BEGIN CERTIFICATE, it’s PEM.

How do I validate a PEM file before deploying?

Use OpenSSL commands like:

To inspect the certificate:

openssl x509 -in cert.pem -noout -text
To verify the chain:

openssl verify -CAfile chain.pem cert.pem
To match private key and certificate:

openssl rsa -in privkey.pem -modulus -noout | openssl md5 openssl x509 -in cert.pem -modulus -noout | openssl md5

Why does AWS ACM reject my PEM files?

AWS Certificate Manager does not accept encrypted private keys or non-PEM formats like DER. Ensure:

Your private key is unencrypted (use openssl rsa -in encrypted.key -out privkey.pem to decrypt)
You upload valid -----BEGIN CERTIFICATE----- and -----BEGIN PRIVATE KEY----- blocks
Your chain file does not include the root CA

Can a PEM file include multiple certificates?

Yes. PEM files can include:

Leaf certificate (server cert)
One or more intermediate certificates
CA root certificate (if applicable)

This is often required to create a full certificate chain in a single file.

What’s the difference between `.pem`, `.crt`, and `.key`?

.pem is a generic extension that can include certificates, keys, or chains in text-based form
.crt often represents a certificate file (either PEM or DER)
.key typically represents a PEM-formatted private key

The contents matter more than the file extension. You can reuse or rename files as long as they’re valid and structured correctly.

Conclusion

Creating and deploying PEM files is a core task in modern SSL/TLS management. Whether you’re hosting a website with NGINX, handling traffic through HAProxy, automating certificate rotation in Kubernetes, or importing certificates into AWS ACM, the PEM format is the universal bridge between cryptographic material and the systems that rely on it.

By understanding how PEM files work — including their structure, encoding, and role in certificate chains — you can avoid common pitfalls such as missing intermediate certificates, key mismatches, failed validation during import, and browser trust warnings. With just a few essential tools like OpenSSL and basic file inspection techniques, you can reliably convert certificates from formats like PFX or DER, combine server and chain files into a fullchain PEM, or extract private keys safely and securely.

Key takeaways:

PEM is not a certificate type, but an encoding format used across SSL/TLS.
Always verify the encoding, matching private key, and chain structure before deploying.
Use platform-specific formats: NGINX expects fullchain.pem and privkey.pem; HAProxy needs a combined .pem file; AWS and Kubernetes require separate PEM-encoded certs and keys.
Tools like openssl x509, openssl verify, and openssl s_client are essential for debugging and validation.

Once you master creating and managing PEM files, you’ll be well-prepared for SSL/TLS deployments at any scale — from single websites to cloud-native services or fully automated certificate pipelines.

Compare Items

How to Create .pem File for SSL Certificate Installation