How to Convert Certificates into Different Formats

Various servers and control panels require SSL certificates in different file formats. You can convert between formats using the OpenSSL package, commonly available on Linux and other systems.

Common Certificate File Formats

PEM Format

PEM certificates are Base64 encoded and surrounded by the headers:

-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

This format is widely used by Linux-based servers such as Apache, Nginx, and web hosting control panels like cPanel, Plesk, and DirectAdmin. PEM certificates typically have the extensions: .pem, .crt, .cer.

PKCS#7 (.p7b, .p7s)

PKCS#7 files are also Base64 encoded and used primarily by Windows and Java-based servers. They contain certificates and chains but not private keys. A PKCS#7 file is enclosed with:

-----BEGIN PKCS7-----
-----END PKCS7-----

PKCS#12/PFX (.p12, .pfx)

PKCS#12/PFX files are in binary format and can store both certificates and private keys, protected by a password. These files are typically used on Windows machines to transfer certificates between servers.

DER Format

DER is a binary format, often used with Java platforms. The file may have the extension .der or .cer. To distinguish between PEM and DER, open the file in a text editor. If the file contains garbled content, it is in DER format.

Note: If you're converting certificates for IEEE 802.1x network authentication, ensure the client certificate includes the private key. Refer to additional resources for specific conversion steps.

Converting Certificates

Convert to PEM Format (Windows)

  1. Right-click the certificate and select Install Certificate.
  2. Select Current User and click Next.
  3. Select Place all certificates in the following store and click Browse.
  4. Choose Personal and click OK.
  5. Complete the installation, then export the certificate in Base64-encoded X.509 format:
  6. 1. Open certmgr.msc (Windows + R).
    2. Expand Personal -> Certificates.
    3. Right-click your certificate -> All Tasks -> Export.
    4. Select Base-64 encoded X.509 (.cer) and save the file.
    5. Rename the extension to .pem if required.
                

Convert to PEM Format (Linux/OpenSSL)

If you're using OpenSSL, run the following command to convert a DER-formatted certificate to PEM:

openssl x509 -inform der -in certificate.der -out certificate.pem

X.509 Certificate Extensions Overview

SSL certificates come in various formats, typically following the X.509 standard. Common extensions include:

What is the Difference Between .cer and .crt?

There is no technical difference between .cer and .crt file extensions. Both can be in PEM or DER format. However, the required extension may vary by server.

Certificate Formats and Server Requirements

Different servers require different certificate formats:

Certificate Conversion Knowledge Base

How to Convert Certificates into Different Formats

Overview

Different servers and control panels may require SSL certificates in different file formats. You can use the OpenSSL package, generally available on Linux machines, to convert certificates between formats. The certificates we provide are issued in x.509 format, which is the version of the ASN.1 file encoding standard.

In this article, we will discuss the following certificate formats:

PEM Format

PEM is a base64 encoded certificate format placed between the headers: -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

This format is the most widely used, especially for Linux-based servers like Apache and Nginx, and web hosting control panels like cPanel, Plesk, and DirectAdmin. PEM certificates can have the following file extensions: .pem, .crt, .cer.

Example:

-----BEGIN CERTIFICATE-----
Base64-encoded certificate
-----END CERTIFICATE-----
        

PKCS#7 Format

PKCS#7 is another Base64-encoded format, primarily used by Windows and Java-based servers like Tomcat. It can contain both the domain's end-entity certificate and CA chain certificates.

If you open a PKCS#7 file in a text editor, you will see the text between the -----BEGIN PKCS7----- and -----END PKCS7----- headers.

Example:

-----BEGIN PKCS7-----
Base64-encoded PKCS7 certificate
-----END PKCS7-----
        

File extensions: .p7b, .p7s, .cer

PKCS#12/PFX Format

PKCS#12, or PFX, is a binary format that stores the certificate and the corresponding private key, often protected by a password. It can also include CA chain certificates. This format is mostly used on Windows machines.

File extensions: .p12, .pfx

Converting on Windows

Follow these steps to convert certificates on a Windows machine:

  1. Right-click the certificate and select Install Certificate.
  2. Select Current User and click Next.
  3. Select Place all certificates in the following store.
  4. Click Browse, select Personal, and click OK.
  5. Click Next, then Finish.
  6. Open the certmgr.msc utility (Windows key + R).
  7. Expand Personal and select Certificates.
  8. Right-click the imported certificate, go to All Tasks → Export.
  9. Select Base-64 encoded X.509 (.cer) and click Next.
  10. Save the certificate and rename the extension from .cer to .pem.

Converting on Linux

To convert certificates on Linux using OpenSSL, follow these steps:

Convert DER to PEM

openssl x509 -inform der -in certificate.der -out certificate.pem
        

Convert PEM to PKCS#12 (PFX)

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CA.crt
        

DER Format

DER is a binary format for certificates and keys. It is often used with Java platforms. DER files typically have the extension .der or .cer. To identify a DER file, open it in a text editor; if it shows binary content, it is in DER format.

Understanding Certificate Extensions