diff --git a/builtin/logical/pki/backend_test.go b/builtin/logical/pki/backend_test.go
index 5a159236c..1098b5409 100644
--- a/builtin/logical/pki/backend_test.go
+++ b/builtin/logical/pki/backend_test.go
@@ -1768,7 +1768,7 @@ func TestBackend_PathFetchValidRaw(t *testing.T) {
 	if bytes.Compare(resp.Data[logical.HTTPRawBody].([]byte), pemCert) != 0 {
 		t.Fatalf("failed to get pem cert")
 	}
-	if resp.Data[logical.HTTPContentType] != "application/pkix-cert" {
+	if resp.Data[logical.HTTPContentType] != "application/pem-certificate-chain" {
 		t.Fatalf("failed to get raw cert content-type")
 	}
 }
diff --git a/builtin/logical/pki/ca_test.go b/builtin/logical/pki/ca_test.go
index 5bbb524ed..c1ba77cbd 100644
--- a/builtin/logical/pki/ca_test.go
+++ b/builtin/logical/pki/ca_test.go
@@ -320,7 +320,7 @@ func runSteps(t *testing.T, rootB, intB *backend, client *api.Client, rootName,
 			if diff := deep.Equal(resp.Data["http_raw_body"].([]byte), []byte(caCert)); diff != nil {
 				t.Fatal(diff)
 			}
-			if resp.Data["http_content_type"].(string) != "application/pkix-cert" {
+			if resp.Data["http_content_type"].(string) != "application/pem-certificate-chain" {
 				t.Fatal("wrong content type")
 			}
 		}
diff --git a/builtin/logical/pki/path_fetch.go b/builtin/logical/pki/path_fetch.go
index 3636062f8..5740147c4 100644
--- a/builtin/logical/pki/path_fetch.go
+++ b/builtin/logical/pki/path_fetch.go
@@ -157,6 +157,7 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
 		contentType = "application/pkix-cert"
 		if req.Path == "ca/pem" {
 			pemType = "CERTIFICATE"
+			contentType = "application/pem-certificate-chain"
 		}
 	case req.Path == "ca_chain" || req.Path == "cert/ca_chain":
 		serial = "ca_chain"
@@ -168,6 +169,7 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
 		contentType = "application/pkix-crl"
 		if req.Path == "crl/pem" {
 			pemType = "X509 CRL"
+			contentType = "application/x-pem-file"
 		}
 	case req.Path == "cert/crl":
 		serial = "crl"
@@ -177,6 +179,7 @@ func (b *backend) pathFetchRead(ctx context.Context, req *logical.Request, data
 		contentType = "application/pkix-cert"
 		if strings.HasSuffix(req.Path, "/pem") {
 			pemType = "CERTIFICATE"
+			contentType = "application/pem-certificate-chain"
 		}
 	default:
 		serial = data.Get("serial").(string)
diff --git a/changelog/13927.txt b/changelog/13927.txt
new file mode 100644
index 000000000..ec0e99fd6
--- /dev/null
+++ b/changelog/13927.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/pki: Use application/pem-certificate-chain for PEM certificates, application/x-pem-file for PEM CRLs
+```