SSL certificate format: how to convert the certificate to .pem, .cer, .crt, .der, pkcs or pfx?
SSL (Secure sockets layer) is a cryptographic protocol that implies a safer connection. It uses asymmetric cryptography to authenticate exchange keys, symmetric encryption to maintain confidentiality, message authentication codes for message integrity. The protocol was widely used for instant messaging and Voice over IP (VoIP) in applications such as e-mail, Internet fax, etc. In 2014, the US government reported a vulnerability in the current version of the protocol. SSL must be excluded from work in favor of TLS ( see CVE-2014-3566 ).
SSL was originally developed by Netscape Communications to add the HTTPS protocol to its Netscape Navigator web browser. Subsequently, based on the SSL 3.0 protocol, the RFC standard was developed and adopted, which received the name TLS.
For successful installation and operation of SSL certificates on various platforms and devices, they are often required to be provided in different formats. For example, Windows servers use PFX files, Apache servers need PEM files with a .crt or .cer extension. In this article we will help you to understand the following questions:
- What are the formats of SSL certificates?
- What is the difference?
- How to convert SSL certificates from one format to another?
Overview of SSL certificate formats
PEM certificate format
PEM is the most popular format among certification centers. PEM certificates can have the extension .pem, .crt , .cer, and .key (private key file). It is an ASCII file encoded in the Base64 scheme. When you open a pem format file in a text editor, you can see that the text of the code begins with the tag "- BEGIN CERTIFICATE -" and ending with the tag "- END CERTIFICATE -" .
Apache and other similar servers use certificates in PEM format. Note that one file can contain several SSL certificates and even a private key, one under the other. In this case, each certificate is separated from the rest by previously specified BEGIN and END tags. As a rule, to install an SSL certificate on Apache, certificates and a private key must be in different files.
Format of the DER certificate
DER is a binary certificate type instead of the PEM format. In PEM format, the .cer file extension is most often used, but sometimes the .der file extension can be found. Therefore, in order to distinguish an SSL certificate in PEM format from the DER format, open it in a text editor and find the start and end tags of the certificate ( BEGIN / END ). DER SSL certificates are generally used on Java platforms.
PKCS # 7 / P7B certificate
SSL certificates in the PKCS # 7 or P7B format are files that are stored in the Base64 ASCII format and have a .p7b or .p7c file extension. P7B certificates contain the start tags of the certificate "- BEGIN PKCS7 -" and its end "- END PKCS7 -" . Files in P7B format include only your SSL certificate and intermediate SSL certificates. The private key is a separate file. SSL certificates in PKCS # 7 / P7B format support the following platforms: Microsoft Windows and Java Tomcat .
PFX certificate (PKCS # 12 format)
The format of the SSL certificate PKCS # 12 or, as it is also called, the PFX certificate is a binary format, in which one encrypted file stores not only your personal server certificate and intermediate certificates of the certification authority, but also your private key. PFX files, as a rule, have the extension .pfx or .p12 . Typically, PFX format files are used on Windows servers to import and export SSL certificate files and your private key.
Convert SSL certificates to OpenSSL
These OpenSSL commands allow you to convert certificates and keys into different formats. In order to make them compatible with certain types of servers, or software. For example, you need to convert an ordinary PEM file that will work with Apache to PFX format (PKCS # 12) in order to use it with Tomcat or IIS.
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.der
Convert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer
Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
Convert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.ceropenssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
Online SSL Certificate converter
Also there are online programs for converting SSL certificates from one format to another. For example, we can advise SSL converter from SSLShopper .
Use this SSL converter to convert SSL certificates of various formats, such as PEM, DER, P7B and PFX. To use the SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format in which you need to convert the SSL certificate and click the "Convert Certificate" button .
Note that depending on which format you need to convert an SSL certificate, you will need different outgoing files.
Online SSL Certificate converter
Also there are online programs for converting SSL certificates from one format to another. For example, we can advise SSL converter from SSLShopper.
Use this SSL converter to convert SSL certificates of various formats, such as PEM, DER, P7B and PFX. To use the SSL converter, simply select the certificate file and its current type (it is determined by the extension format), then select the format in which you need to convert the SSL certificate and click the "Convert Certificate" button.
Note that depending on which format you need to convert an SSL certificate, you will need different outgoing files.
Convert PEM to DER
To convert a standard certificate in PEM format to a binary DER format, only an SSL certificate file is required. Usually, you receive it in the archive together with intermediate certificates. As a rule, the name of your domain is indicated in its name.
Convert PEM to P7B / PKCS # 7
If you need to convert your standard SSL certificate into a P7B / PKCS # 7 format file, you can also upload files with certificate chains in addition to the SSL certificate of your domain. For more information about what the SSL certificate chain is, we wrote in the article about the CA-bundle.
Convert PEM to PFX / PKCS # 12
Please note that in order to convert the standard SSL certificate format, you need to add one more file - your private key. A private key is confidential information that should only be in your possession. Therefore, certification centers do not send it to the location with the files of your certificate.
A private key is created when the CSR request is generated. If you generate CSR on your server, the key should be automatically saved on it. If you create a CSR request in a special tool on our website (on the page by reference or at the time of filling in the technical data), the key is shown to you at the end of the CSR generation (or the introduction of technical data), but is not stored in our database. Therefore, it is important that you save the private key yourself.
Convert PFX / PKCS # 12 to PEM
If you need to convert the PFX format certificate to PEM format, open the certificate file in any text editor and copy the text of each certificate together with the BEGIN / END tags into separate files, and then save them as certificate.cer (for your certificate Server) and cacert.cer (for the chain of intermediate certificates). The same thing should be done with the private key's text and save it as privatekey.key.
Via emaro-ssl.ru & wiki
Comments
When commenting on, remember that the content and tone of your message can hurt the feelings of real people, show respect and tolerance to your interlocutors even if you do not share their opinion, your behavior in the conditions of freedom of expression and anonymity provided by the Internet, changes Not only virtual, but also the real world. All comments are hidden from the index, spam is controlled.