.der. These extensions generally map to two major encoding schemes for X.509 certificates and keys: PEM (Base64 ASCII), and DER (binary). However, there is some overlap and other extensions are used, so you can’t always tell what kind of file you are working with just from looking at the filename; you may need to open it in a text editor and take a look for yourself. As you work with digital certificates, you may find yourself with the need to convert between PEM and DER files, view their contents as human-readable text, or combine them into common container formats like PKCS#12 or PKCS#7. This guide points out the major differences between PEM and DER files and common filename extensions associated with them. It also provides visual examples of each encoding, and illustrates some common file format conversions with OpenSSL. What is OpenSSL?
OpenSSL is a very useful open-source command-line toolkit for working with X.509 certificates, certificate signing requests (CSRs), and cryptographic keys. If you are using a UNIX variant like Linux or macOS, OpenSSL is probably already installed on your computer. If you would like to use OpenSSL on Windows, you can enable Windows 10’s Linux subsystem or install Cygwin.
PEMPEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g.
-----END CERTIFICATE-----). A single PEM file could contain an end-entity certificate, a private key, or multiple certificates forming a complete chain of trust. Most certificate files downloaded from SSL.com will be in PEM format.
PEM Filename ExtensionsPEM files are usually seen with the extensions
.key(for private keys), but you may also see them with different extensions. For example, the SSL.com CA bundle file available from the download table in a certificate order has the extension
What does a PEM certificate look like?
The SSL/TLS certificate for
www.ssl.comis shown below in PEM format (click to view):
Common PEM ConversionsIn the OpenSSL commands below, replace the filenames in ALL CAPS with the actual paths and filenames you are working with.
View contents of PEM certificate file
openssl x509 -in CERTIFICATE.pem -text -noout
Convert PEM certificate to DER
openssl x509 -outform der -in CERTIFICATE.pem -out CERTIFICATE.der
Convert PEM certificate with chain of trust to PKCS#7PKCS#7 (also known as P7B) is a container format for digital certificates that is most often found in Windows and Java server contexts, and usually has the extension
.p7b. PKCS#7 files are not used to store private keys. In the example below,
-certfile MORE.pemrepresents a file with chained intermediate and root certificates (such as a
.ca-bundlefile downloaded from SSL.com).
openssl crl2pkcs7 -nocrl -certfile CERTIFICATE.pem -certfile MORE.pem -out CERTIFICATE.p7b
Convert PEM certificate with chain of trust and private key to PKCS#12PKCS#12 (also known as PKCS12 or PFX) is a common binary format for storing a certificate chain and private key in a single, encryptable file, and usually have the filename extensions
.pfx. In the example below,
-certfile MORE.pemadds a file with chained intermediate and root certificates (such as a
.ca-bundlefile downloaded from SSL.com), and
-inkey PRIVATEKEY.keyadds the private key for
CERTIFICATE.crt(the end-entity certificate). Please see this how-to for a more detailed explanation of the command shown.
openssl pkcs12 -export -out CERTIFICATE.pfx -inkey PRIVATEKEY.key -in CERTIFICATE.crt -certfile MORE.crtAfter executing the command above you will be prompted to create a password to protect the PKCS#12 file. Remember this password. You will need it to access any certificates and keys stored in the file.
DERDER (Distinguished Encoding Rules) is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as
-----BEGIN CERTIFICATE-----. DER files are most commonly seen in Java contexts.
DER Filename ExtensionsDER-encoded files are usually found with the extensions
What does a DER-encoded certificate look like?The DER-encoded SSL/TLS certificate for
www.ssl.comis shown below (click to view):
Common DER ConversionsIn the OpenSSL commands below, replace the filenames in ALL CAPS with the actual paths and filenames you are working with.
View contents of DER-encoded certificate file
openssl x509 -inform der -in CERTIFICATE.der -text -noout
Convert DER-encoded certificate to PEM
openssl x509 -inform der -in CERTIFICATE.der -out CERTIFICATE.pem