This page has been robot translated, sorry for typos if any. Original content here.

SSL certificate format: how to convert a certificate to .pem, .cer, .crt, .der, pkcs or pfx?

Обзор форматов сертификатов SSL

SSL (English secure sockets layer) is a cryptographic protocol that implies a more secure connection. It uses asymmetric cryptography to authenticate exchange keys, symmetric encryption to maintain confidentiality, message authentication codes for message integrity. The protocol was widely used for instant messaging and voice over IP (English Voice over IP - VoIP) in applications such as e-mail, Internet fax, etc. In 2014, the US government reported a vulnerability in the current version of the protocol. SSL should be excluded from work in favor of TLS ( see CVE-2014-3566 ).

SSL was originally developed by Netscape Communications to add the HTTPS protocol to its Netscape Navigator web browser. Subsequently, based on the SSL 3.0 protocol, an RFC standard was developed and adopted, called TLS.

For successful installation and operation of SSL certificates on various platforms and devices, they often need to be provided in different formats. For example, Windows servers use PFX files, for Apache servers, PEM files with the extension .crt or .cer are required. In this article we will help you understand the following issues:

  • What are the SSL certificate formats?
  • What is the difference?
  • How to convert SSL certificates from one format to another?

Overview of SSL Certificate Formats

PEM certificate format

PEM is the most popular format among certification centers. PEM certificates can have a .pem, .crt, .cer, and .key extension (private key file). It is a Base64 encoded ASCII file. When you open a pem file in a text editor, you can see that the text of the code in it starts with the “—— BEGIN CERTIFICATE ——” tag and ending with the “—— END CERTIFICATE ——” tag.

Apache and other similar servers use certificates in PEM format. Please note that a single file may contain several SSL certificates and even a private key, one under the other. In this case, each certificate is separated from the rest by the previously indicated BEGIN and END tags. As a rule, to install an SSL certificate on Apache, certificates and private key must be in different files.

DER Certificate Format

DER is a binary certificate type instead of PEM format. In the PEM format, the .cer file extension is most often used, but sometimes the .der file extension is also found. Therefore, to distinguish the SSL certificate in the PEM format from the DER format, open it in a text editor and find the start and end tags of the certificate ( BEGIN / END ). DER SSL certificates are usually used on Java platforms.

PKCS # 7 / P7B certificate

SSL certificates in the PKCS # 7 or P7B format are files that are stored in Base64 ASCII format and have the file extension .p7b or .p7c. P7B certificates contain tags of the beginning of the certificate “—— BEGIN PKCS7 ——” and its end “—— END PKCS7 ——“ . Files in the P7B format include only your SSL certificate and intermediate SSL certificates. The private key is a separate file. SSL certificates in the PKCS # 7 / P7B format support the following platforms: Microsoft Windows and Java Tomcat .

PFX certificate (PKCS # 12 format)

The SSL certificate format PKCS # 12 or, as it is also called, the PFX certificate is a binary format, using which not only your personal server certificate and intermediate certificate authority certificates, but also your private key is stored in one encrypted file. PFX files usually have the extension .pfx or .p12 . Usually, PFX files are used on Windows servers to import and export SSL certificate files and your private key.

Convert SSL certificates to OpenSSL

These OpenSSL commands allow you to convert certificates and keys to different formats. In order to make them compatible with certain types of servers or software. For example, you need to convert an ordinary PEM file that will work with Apache into PFX format (PKCS # 12) in order to use it with Tomcat, or IIS.

Convert PEM to DER

openssl x509 -outform der -in certificate.pem -out certificate.der

Convert PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

Convert PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

Convert DER to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Convert P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Convert P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

Convert PFX to PEM

openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Online SSL Certificate Converter

There are also online programs for converting SSL certificates from one format to another. For example, we can advise SSL converter from SSLShopper .

Use this SSL converter to convert SSL certificates of various formats, such as PEM, DER, P7B and PFX. To use an SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format to which you need to convert the SSL certificate and click the “Convert Certificate” button.

Please note that depending on the format in which you need to convert the SSL certificate, you will need different outgoing files.

Online SSL Certificate Converter

There are also online programs for converting SSL certificates from one format to another. For example, we can advise SSL converter from SSLShopper.

Use this SSL converter to convert SSL certificates of various formats, such as PEM, DER, P7B and PFX. To use an SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format to which you need to convert the SSL certificate and click the “Convert Certificate” button.

Please note that depending on the format in which you need to convert the SSL certificate, you will need different outgoing files.

PEM to DER conversion

Обзор форматов сертификатов SSL

To convert a standard PEM certificate to binary DER format, you only need an SSL certificate file. Usually, you get it in the archive, along with intermediate certificates. As a rule, its name indicates the name of your domain.

Convert PEM to P7B / PKCS # 7

Обзор форматов сертификатов SSL

If you need to convert your standard SSL certificate to a P7B / PKCS # 7 file, you can also upload certificate chain files in addition to the SSL certificate for your domain. For more information about what a chain of SSL certificates, we wrote in the article on CA-bundle.

Convert PEM to PFX / PKCS # 12

Обзор форматов сертификатов SSL

Please note that in order to convert the standard SSL certificate format, you need to add another file - your private key. A private key is confidential information that only you should have. Therefore, certificate authorities do not send it to the site with your certificate files.

The private key is created at the time of generating the CSR request. If you generate a CSR on your server, the key must be automatically saved on it. If you create a CSR request in a special tool on our website (on the page by reference or when filling in technical data), the key is shown to you at the end of the CSR generation (or the introduction of technical data), but is not stored in our database. Therefore, it is important that you save the private key yourself.

Convert PFX / PKCS # 12 to PEM

If you need to convert an SSL PFX certificate to a PEM format, open the certificate file in any text editor and copy the text of each certificate along with the BEGIN / END tags into separate files, after which they should be saved as certificate.cer (for your certificate server) and cacert.cer (for a chain of intermediate certificates). The same should be done with the text of the private key and save it under the name privatekey.key.

Via emaro-ssl.ru & wiki