Read time: 5 minutes
There are many formats in which digital certificates can be downloaded or converted. Following are X.509 certificate encoding formats and extensions:
Binary
- DER: .der, .cer
- PKCS#12: .p12, pfx
Base64
- PKCS#7: .p7c, .p7b
- PEM: .crt, .ca-bundle, .pem
However, different certificate forms have no advantages or disadvantages. It all depends on the certificate’s format requirements for the application that will be using it.
PEM
- A PEM (Privacy Enhanced Mail) file is a Base64-encoded certificate file used to verify a website’s security. It may contain a private key, a server certificate from a certificate authority (CA), or other trust chain certificates. PEM files are compatible with OpenSSL applications and are commonly imported from a Unix-based Apache Web server.
- You can see the contents of a PEM file with the help of a text editor. The file has one or more headers that describe the information contained within it. A PEM file for a certificate includes the “—-BEGIN CERTIFICATE—-” and “—-END CERTIFICATE—-” statements.
- A PEM file can have several certificates and private keys one after another.
- Linux and Unix-based web servers typically use PEM files.
- Commonly used extensions of PEM files are: .cer, .pem, .crt, .key
DER (Distinguished Encoding Rules)
- A DER (Distinguished Encoding Rules) file is a binary format certificate file. As DER files can end in either .der or .cer, you will need to read the file with a text editor to tell the difference between DER.cer and PEM.cer. There should be no BEGIN/END statements in a DER file, or the binary information will be distorted.
- The DER format can be used to encode both digital certificates and private keys.
- DER files are generally used with java platforms.
- Commonly used extensions of DER files are: .cer and .der
PKCS#7
- PKCS#7 is a Base64-encoded certificate file. This format cannot be used to store private keys. Only digital certificates and Certificate Revocation List (CRL) can be stored in PKCS#7 file format.
- A PKCS#7 file contains the “—-BEGIN PKCS7—-” and “—-END PKCS7—-” statements.
- Commonly used extensions of PKCS#7 files are: .p7b and .p7c
- Java Tomcat and Microsoft Windows platforms commonly use these files.
PKCS#12
- PKCS#12 is a single password-protected binary file format that stores the server certificate, intermediate certificate, and private key. It refers to a personal information exchange format.
- Windows platforms commonly use these files to import and export certificates and private keys.
- Commonly used extensions are: .p12, ,pfx
Change Certificate Format By Changing The Extension
You can convert the following file format into different formats by changing the extensions.
PEM
You can change the PEM file format to the following formats by changing its extension:
- .crt
- .cer
- .pem
- .key
For Example: Convert the .crt certificate file into .pem file.
-
Open the .crt certificate file in any text editor.
-
Go to File.
-
Click on Save As
-
In Save as type “Select All Files.”
-
In the File name, enter the file name and the extension you want to convert (.cer, .key, .pem, .crt).
-
click on Save.
DEM
You can change the DER file format to the following formats by changing its extension:
- .der
- .cer
For Example: Convert the .der certificate file into .cer file.
-
Open the certificate in any text editor.
-
Go to File.
-
Click on Save As
-
In Save as type “Select All Files.”
-
In the File name, enter the file name and the extension you want to convert (.cer, .der).
-
Click on Save As
Change Certificate Format Using OpenSSL
PEM
-
Convert PEM to DER:
You can convert the PEM certificate file format to DER by using the command below:
$ openssl x509 -outform der -in certificate.pem -out certificate.der
-
Convert PEM to P7B
You can convert the PEM certificate file format to P7B by using the command below:
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer
-
Note: -certfile CAcert.cer is optional, use this if having more than one PEM certificates and wants to include into P7B file.
-
Convert PEM to PFX
You can convert the PEM certificate file format to PFX by using the command below:
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt
Note: -certfile CAcert.cer is optional, use this if having more than one PEM certificates and wants to include into PFX file.
DER
-
Convert DER (.crt, .cer, .der) to PEM:
You can convert the DER certificate file format to PEM by using the command below:
$ openssl x509 -inform der -in certificate.der -out certificate.pem
P7B
-
Convert P7B to PEM
You can convert the P7B certificate file format to PEM by using the command below:
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer -
Convert P7B to PFX
You can convert the P7B certificate file format to PFX by using the two commands below:
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer $ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer -
Note: -certfile CAcert.cer is optional, use this if having more than one P7B certificates and wants to include into PFX file.
PFX
-
Convert PFX to PEM
You can convert the PFX certificate file format to PEM by using the command below:
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
Note: OpenSSL will combine all the Certificates and Private Keys into a single file when converting PFX to PEM format. You will need to open the file in Text Editor and copy each
Certificate and Private key (including the BEGIN/END instructions) to its text file.