.pem format is also supported for importing the existing key to the key vault

azure-sql/database/transparent-data-encryption-byok-overview.md

@@ -112,7 +112,7 @@ Auditors can use Azure Monitor to review key vault AuditEvent logs, if logging i
 
 - The key must be in the *Enabled* state.
 
-- If you're importing existing key into the key vault, make sure to provide it in the supported file formats (`.pfx`, `.byok`, or `.backup`).
+- If you're importing existing key into the key vault, make sure to provide it in the supported file formats (`.pem`, `.pfx`, `.byok`, or `.backup`).
 
 > [!NOTE]  
 > Azure SQL and SQL Server on Azure VM support using an RSA key stored in a Managed HSM as TDE protector. Azure Key Vault Managed HSM is a fully managed, highly available, single-tenant, standards-compliant cloud service that enables you to safeguard cryptographic keys for your cloud applications, using FIPS 140-2 Level 3 validated HSMs. Learn more about [Managed HSMs](/azure/key-vault/managed-hsm/index) and the configuration or RBAC permissions needed for SQL Server through the article, [Set up SQL Server TDE Extensible Key Management by using Azure Key Vault](/sql/relational-databases/security/encryption/setup-steps-for-extensible-key-management-using-the-azure-key-vault).