This page has been robot translated, sorry for typos if any. Original content here.

SSL certificate format: how to convert a certificate to .pem, .cer, .crt, .der, pkcs or pfx?

Обзор форматов сертификатов SSL

SSL (Secure Sockets Layer - Secure Sockets Layer) is a cryptographic protocol that implies a more secure connection. It uses asymmetric cryptography to authenticate exchange keys, symmetric encryption to maintain confidentiality, message authentication codes for message integrity. The protocol was widely used for instant messaging and voice over IP (Voice over IP - VoIP) in applications such as e-mail, Internet fax, etc. In 2014, the US government reported a vulnerability in the current version of the protocol. SSL should be excluded from work in favor of TLS ( see CVE-2014-3566 ).

SSL was originally developed by Netscape Communications to add the HTTPS protocol to its Netscape Navigator web browser. Subsequently, based on the SSL 3.0 protocol, the RFC standard, called TLS, was developed and adopted.

For the successful installation and operation of SSL certificates on various platforms and devices, it is often necessary to provide them in different formats. For example, Windows servers use PFX files; for Apache servers, PEM files with the extension .crt or .cer are required. In this article, we will help you understand the following issues:

  • What are the formats of SSL certificates?
  • What is the difference?
  • How to convert SSL certificates from one format to another?

SSL Certificate Formats Overview

PEM Certificate Format

PEM is the most popular format among certification centers. PEM certificates can have the extension .pem, .crt, .cer, and .key (private key file). It is an ASCII file encoded in Base64 . When you open the pem file in a text editor, you can see that the text in it starts with the tag “—— BEGIN CERTIFICATE ——” and ends with the tag “—— END CERTIFICATE ——" .

Apache and other similar servers use certificates in the PEM format. Please note that a single file may contain several SSL certificates and even a private key, one below the other. In this case, each certificate is separated from the others by the previously specified BEGIN and END tags. As a rule, to install an SSL certificate on Apache, the certificates and private key must be in different files.

DER Certificate Format

DER is a binary type of certificate instead of the PEM format. In the PEM format, the .cer file extension is most often used, but sometimes the .der file extension can also be found. Therefore, to distinguish an SSL certificate in PEM format from DER format, you should open it in a text editor and find the start and end tags of the certificate ( BEGIN / END ). DER SSL certificates are typically used on Java platforms.

PKCS # 7 / P7B certificate

SSL certificates in PKCS # 7 or P7B format are files that are stored in Base64 ASCII format and have a .p7b or .p7c file extension. P7B certificates contain tags for the beginning of the certificate “—— BEGIN PKCS7 ——” and its end “—— END PKCS7 ——“ . Files in the P7B format include only your SSL certificate and intermediate SSL certificates. The private key in this case is a separate file. SSL certificates in PKCS # 7 / P7B format support the following platforms: Microsoft Windows and Java Tomcat .

PFX certificate (PKCS # 12 format)

The PKCS # 12 SSL certificate format or, as it is also called, the PFX certificate is a binary format, using which not only your personal server certificate and intermediate certificate authority certificates are stored in one encrypted file, but also your private key. PFX files, as a rule, have the extension .pfx or .p12 . Typically, PFX files are used on Windows servers to import and export SSL certificate files and your private key.

Convert SSL certificates to OpenSSL

These OpenSSL commands make it possible to convert certificates and keys to different formats. In order to make them compatible with certain types of servers, or software. For example, you need to convert an ordinary PEM file that will work with Apache to the PFX format (PKCS # 12) in order to use it with Tomcat or IIS.

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Online SSL Certificate Converter

There are also online programs for converting SSL certificates from one format to another. For example, we can recommend an SSL converter from SSLShopper .

Use this SSL converter to convert SSL certificates of various formats such as PEM, DER, P7B and PFX. To use the SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format to which you need to convert the SSL certificate and click the “Convert Certificate” button.

Please note that depending on what format you need to convert the SSL certificate to, you will need different outgoing files.

Online SSL Certificate Converter

There are also online programs for converting SSL certificates from one format to another. For example, we can recommend an SSL converter from SSLShopper.

Use this SSL converter to convert SSL certificates of various formats such as PEM, DER, P7B and PFX. To use the SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format to which you need to convert the SSL certificate and click the “Convert Certificate” button.

Please note that depending on what format you need to convert the SSL certificate to, you will need different outgoing files.

Convert PEM to DER

Обзор форматов сертификатов SSL

To convert a standard certificate in PEM format to the binary DER format, you only need an SSL certificate file. Usually, you get it in the archive along with intermediate certificates. As a rule, its name indicates the name of your domain.

Convert PEM to P7B / PKCS # 7

Обзор форматов сертификатов SSL

If you need to convert your standard SSL certificate to a P7B / PKCS # 7 format file, you can download files with certificate chains in addition to the SSL certificate of your domain. In more detail about what is a chain of SSL certificates, we wrote in an article about CA-bundle.

Convert PEM to PFX / PKCS # 12

Обзор форматов сертификатов SSL

Please note that to convert the standard format of the SSL certificate, you must add one more file - your private key. A private key is confidential information that should only be with you. Therefore, certification authorities do not send him a place with the files of your certificate.

A private key is created at the time the CSR request is generated. If you generate CSR on your server, the key should be automatically saved on it. If you create a CSR request in a special tool on our website (on the page by reference or while filling out technical data), the key is shown to you at the end of CSR generation (or entering technical data), but is not stored in our database. Therefore, it is important that you save the private key yourself.

Convert PFX / PKCS # 12 to PEM

If you need to convert a PFX format SSL certificate to a PEM format, you should open the certificate file in any text editor and copy the text of each certificate along with the BEGIN / END tags to separate files, then save them as certificate.cer (for your certificate server) and cacert.cer (for the chain of intermediate certificates). The same should be done with the text of the private key and save it under the name privatekey.key.

Via emaro-ssl.ru & wiki