It’s fairly easy to understand what an SSL certificate is and how it works. But when it comes to installing it on a server, sometimes, it may seem that you’re dealing with rocket science.
With so many SSL certificate formats tied to specific server requirements, you’re more likely to get confused and frustrated rather than configure your cert correctly from the get-go. But that’s about to change.
In this comprehensive guide, we’ll dissect each SSL certificate format and certificate file extensions and show you two ways how to convert different file types.
Table of Contents
- Certificate File Formats – The Basics
- SSL Certificates Formats and File Extensions
- SSL Format Conversion
Certificate File Formats – The Basics
Let’s start by covering the basics. All SSL certificates are x.509 certificates. This is the standard format of public-key certificates expressed in a formal language called Abstract Syntax Notation One. We won’t delve further into the X.509 structure; you can read about it on Wiki. We’re here to discuss SSL certificate formats such as DER, PEM, PKCS#7, and PKCS#12.
An easy way to distinguish them is to look at their encoding.
PEM and PKCS#7 use Base ASCII (American Standard Code for Information Interchange) encoding. This is a popular standard for files that contain text.
DER and PKCS#12 use binary encoding, a base 2 number system consisting only of zeros and ones.
Because of different formats and encoding, SSL certificates have many file extensions.
SSL Certificate Formats and File Extensions
Let’s closely inspect each format and its SSL certificate file extensions. You will discover the meaning behind each acronym and what system uses it the most.
DER Format
DER stands for Distinguished Encoding Rules, a binary encoding format, rarely used outside of Windows. It is contained in .der or .cer files.
PEM Format
PEM is the most popular SSL certificate format and the one you’ll likely encounter. The majority of CAs offer SSL certificates in PEM format with different certificate file extensions such as .pem, .crt, .cer, or .key.
PEM Stands for Privacy-Enhanced Email, and you may be wondering what does Email have to do with an SSL certificate? Well, long story short, PEM failed at its primary job but found its application as a container format.
In essence, PEM files are Base64 encoded DER files where zeros and ones are encoded in a sequence of printable characters. This way you can open them with any text editor, including Notepad.
A single .pem file can contain the server certificate, the intermediate certificate, and the private key. Alternatively, you may receive your server and intermediate certificates in a separate .crt or .cer file, while your private key may reside in a .key file.
PKCS#7 Format
PKCS stands for Public Key Cryptography Standards.
PKCS#7 is a multi-purpose SSL certificate format for the distribution of encrypted data. It’s mostly used on Windows platforms and Java Tomcat.
Today, we’re actually using its successor CMS (Cryptographic Message Syntax), but just like with SSL and TLS, the old name has become too familiar to replace.
PKSC#7 has two file extensions: .p7b, or p7c. Unlike PEM, PKCS#7 cannot store private keys, only primary and intermediate certificates.
PKCS#12 Format
PKCS#12 is another Public Cryptography Standard with enhanced security. Just like a PEM file, it can include the entire SSL certificate chain and key pair in a single .pfx file. The main difference is that PCKS#12 is a password-protected container.
Some server systems prompt you to enter a password during the CSR generation, and you can use it to open .pfx files.
SSL Format Conversion
Now that you know the SSL certificate formats and their multiple certificate file extensions, it’s time to reveal what you’ve been really waiting for – how to convert an SSL certificate into any format.
As with most file conversions, there are different ways to approach them. The quickest one is to use an automatic SSL converter tool. All you have to do is pick your desired operation, for instance, PEM to PKCS#7 conversion, upload the files, and then hit Convert.
Alternatively, you can use the free OpenSSL software library to convert your SSL files. This utility enables the SSL/TLS protocol on almost any server in existence. Many platforms and Linux distributions come with the OpenSSL utility pre-installed. For Windows, you’ll have to get the installation package.
Convert X.509 to PEM
To convert X.509 to PEM, run the following command in OpenSSL:
openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
Convert DER to PEM
Binary encoding to Base64 ASCII.
To convert DER to PEM, run the following command:
openssl x509 -inform der -in certificatename.der -out certificatename.pem
Convert PEM to DER
Base65 ASCII to binary encoding.
To convert PEM to DER, run the following command:
openssl x509 -inform der -in certificatename.der -out certificatename.pem
Convert PEM to PKCS#7
The .p7b file does not include the private key.
To convert PEM to PKCS#7, run the following command:
openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer
Convert PKCS#7 to PEM
To convert PKCS#7 to PEM, run the following command:
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem
Convert PKCS#12 to PEM
PKCS#12 file is password-protected.
To convert PKCS#12 to PEM, run the following command:
openssl pkcs12 -in certificatename.pfx -out certificatename.pem
Convert PKCS7 to PKCS12
This requires two steps. You’ll first convert the P7B file to CER and then combine CER and Private Key into PFX.
- openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
- openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer
That’s pretty much it. Now you can quickly convert and install on your server any type of SSL file.
Conclusion
Understanding SSL certificate formats, certificate file extensions, and how to convert them into your desired configuration is a valuable skill that will help you seamlessly install SSL certificates on any system.
Choosing the right SSL format will ensure steady encryption and secure connections on web servers, email clients, VPN appliances, and networks.
Frequently Asked Questions
The file extension used for an exported certificate backup file varies depending on the format and type of the certificate. The most common certificate backup files are .p12 and .pfx (Windows systems), .cer and .crt, and .key for backing up the private key.
Copy Link
Apache uses the PEM certificate format with .cer .crt and .key file extensions.
Copy Link
To create an SSL certificate in PEM format on Linux, you can use the OpenSSL toolkit and its command lines. Once you’ve received the SSL certificate from the CA, you can create the PEM format file by concatenating the private key and the SSL certificate together in a single file using the following command:
cat private.key your_ssl_certificate.crt > your_ssl_certificate.pem
Copy Link
Open your SSL file with any text editor. If you see the label “—–BEGIN CERTIFICATE—–” at the beginning of the certificate file and “—–END CERTIFICATE—–” at the end of the file, then the certificate is in PEM format. If the certificate is in DER format, it will not contain these labels and will instead be a binary file.
Copy Link
The PKCS#12 or PFX format contains the certificates(S) and the private key. This format stores the private key and the associated certificate in a single encrypted file.
Copy Link
We’ve written a detailed guide on how to import and export a PFX file in Microsoft IIS (Internet Information Services).
Copy Link
Save 10% on SSL Certificates when ordering today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
