This page has been robot translated, sorry for typos if any. Original content here.

SSL certificate format: how to convert a certificate to .pem, .cer, .crt, .der, pkcs or pfx?

Обзор форматов сертификатов SSL

SSL (secure sockets layer) is a cryptographic protocol that implies a safer connection. It uses asymmetric cryptography to authenticate exchange keys, symmetric encryption to maintain confidentiality, message authentication codes for message integrity. The protocol was widely used for instant messaging and Voice over IP (VoIP) in applications such as e-mail, Internet fax, etc. In 2014, the US government reported a vulnerability in the current version of the protocol. SSL must be excluded from work in favor of TLS ( see CVE-2014-3566 ).

SSL was originally developed by Netscape Communications to add the HTTPS protocol to its Netscape Navigator web browser. Subsequently, based on the SSL 3.0 protocol, the RFC standard, which was named TLS, was developed and adopted.

For successful installation and operation of SSL certificates on different platforms and devices, they are often required to be provided in different formats. For example, Windows servers use PFX files, Apache servers need PEM files with a .crt or .cer extension. In this article we will help you to understand the following questions:

  • What are the formats of SSL certificates?
  • What is the difference?
  • How to convert SSL certificates from one format to another?

Overview of SSL certificate formats

Format of PEM certificate

PEM is the most popular format among certification centers. PEM certificates can have the extension .pem, .crt, .cer, and .key (private key file). It is an ASCII file encoded in the Base64 scheme. When you open a pem format file in a text editor, you can see that the text of the code begins with the tag "- BEGIN CERTIFICATE -" and ending with the tag "- END CERTIFICATE -" .

Apache and other such servers use certificates in PEM format. Note that a single file can contain several SSL certificates and even a private key, one under the other. In this case, each certificate is separated from the rest by previously specified BEGIN and END tags. Typically, to install an SSL certificate on Apache, certificates and a private key must be in different files.

DER certificate format

DER is a binary certificate type instead of the PEM format. In PEM format, the .cer file extension is most often used, but sometimes the .der file extension can be found. Therefore, to distinguish an SSL certificate in PEM format from the DER format, open it in a text editor and find the start and end tags of the certificate ( BEGIN / END ). DER SSL certificates are generally used on Java platforms.

PKCS # 7 / P7B certificate

SSL certificates in PKCS # 7 or P7B format are files that are stored in the Base64 ASCII format and have a .p7b or .p7c file extension. P7B certificates contain the start tags of the certificate "- BEGIN PKCS7 -" and its end "- END PKCS7 -" . Files in P7B format include only your SSL certificate and intermediate SSL certificates. The private key is a separate file. SSL certificates in PKCS # 7 / P7B format support the following platforms: Microsoft Windows and Java Tomcat .

PFX certificate (format PKCS # 12)

The format of the SSL certificate PKCS # 12 or, as it is also called, the PFX certificate is a binary format that uses not only your personal server certificate and intermediate certificates of the certification authority, but also your private key in one encrypted file. PFX files, as a rule, have the extension .pfx or .p12 . Typically, PFX format files are used on Windows servers to import and export SSL certificate files and your private key.

Convert SSL certificates to OpenSSL

These OpenSSL commands allow you to convert certificates and keys into different formats. In order to make them compatible with certain types of servers, or software. For example, you need to convert an ordinary PEM file that will work with Apache to PFX format (PKCS # 12) in order to use it with Tomcat or IIS.

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Online SSL Certificate Converter

Also there are online programs for converting SSL certificates from one format to another. For example, we can advise SSL converter from SSLShopper .

Use this SSL converter to convert SSL certificates of various formats, such as PEM, DER, P7B and PFX. To use the SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format in which you need to convert the SSL certificate and click the "Convert Certificate" button.

Please note that depending on which format you need to convert an SSL certificate, you will need different outgoing files.

Online SSL Certificate Converter

Also there are online programs for converting SSL certificates from one format to another. For example, we can advise SSL converter from SSLShopper.

Use this SSL converter to convert SSL certificates of various formats, such as PEM, DER, P7B and PFX. To use the SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format in which you need to convert the SSL certificate and click the "Convert Certificate" button.

Please note that depending on which format you need to convert an SSL certificate, you will need different outgoing files.

Convert PEM to DER

Обзор форматов сертификатов SSL

To convert a standard certificate in PEM format to a binary DER format, only an SSL certificate file is required. Usually, you receive it in the archive together with intermediate certificates. As a rule, the name of your domain is indicated in its name.

Convert PEM to P7B / PKCS # 7

Обзор форматов сертификатов SSL

If you need to convert your standard SSL certificate into a P7B / PKCS # 7 format file, you can also upload files with certificate chains in addition to the SSL certificate of your domain. For more information on what the SSL certificate chain is, we wrote in the CA-bundle article.

Convert PEM to PFX / PKCS # 12

Обзор форматов сертификатов SSL

Please note that to convert the standard SSL certificate format, you must add one more file - your private key. A private key is confidential information that should only be in your possession. Therefore, certification authorities do not send it to the location with the files of your certificate.

The private key is created when the CSR request is generated. If you generate CSR on your server, the key should be automatically saved on it. If you create a CSR request in a special tool on our website (on the page by reference or while filling in the technical data), the key is shown to you at the end of the CSR generation (or the introduction of technical data), but is not stored in our database. Therefore, it is important that you save the private key yourself.

Conversion of PFX / PKCS # 12 to PEM

If you need to convert an SSL certificate of PFX format to PEM format, open the certificate file in any text editor and copy the text of each certificate together with the BEGIN / END tags into separate files, after which they should be saved as certificate.cer (for your certificate server) and cacert.cer (for the chain of intermediate certificates). The same thing should be done with the private key's text and save it as privatekey.key.

Via emaro-ssl.ru & wiki