It’s fairly easy to understand what an SSL certificate is and how it works. But when it comes to installing it on a server, sometimes, it may seem that you’re dealing with rocket science. With so many SSL certificate formats tied to specific server requirements, you’re more likely to get confused and frustrated rather than configure your cert correctly from the get-go. But that’s about to change. In this comprehensive guide, we’ll dissect each certificate format and show you two ways on how to convert different file types.

Let’s start by covering the basics. All SSL certificates are x.509 certificates. This is the standard format of public-key certificates expressed in a formal language called Abstract Syntax Notation One. We won’t delve further into the X.509 structure; you can read about it on Wiki. We’re here to discuss SSL certificate formats such as DER, PEM, PKCS#7, and PKCS#12.

An easy way to distinguish them is to look at their encoding. PEM and PKCS#7 use Base ASCII (American Standard Code for Information Interchange) encoding. This is a popular standard for files that contain text. DER and PKCS#12 use binary encoding, a base 2 number system consisting only of zeros and ones. Because of different formats and encoding, SSL certificates have many file extensions.

DER Format

DER stands for Distinguished Encoding Rules, a binary encoding format, rarely used outside of Windows. It is contained in .der or .cer files.

PEM Format

PEM Stands for Privacy-Enhanced Email, and you may be wondering what does Email has to do with an SSL certificate? Well, long story short, PEM failed at its primary job but found its application as a container format. In essence, PEM files are Base64 encoded DER files where zeros and ones are encoded in a sequence of printable characters. This way you can open them with any text editor, including Notepad. 

PEM is the most popular certificate format and the one you’ll likely encounter. The majority of CAs offer SSL Certificates in PEM format with different file extensions such as .pem, .crt, .cer, or .key. 

A single .pem file can contain the server certificate, the intermediate certificate, and the private key. Alternatively, you may receive your server and intermediate certificates in a separate .crt or .cer file, while your private key may reside in a .key file.

PKCS#7 Format

PKCS stands for Public Key Cryptography Standards. PKCS#7 is a multi-purpose format for the distribution of encrypted data. It’s mostly used on Windows platforms and Java Tomcat. Today, we’re actually using its successor CMS (Cryptographic Message Syntax), but just like with SSL and TLS, the old name has become too familiar to replace. PKSC#7 has two file extensions: .p7b, or p7c. Unlike PEM, PKCS#7 cannot store private keys, only the primary and intermediate certificates.

PKCS#12 Format

PKCS#12 is another Public Cryptography Standard with enhanced security. Just like a PEM file, it can include the entire SSL certificate chain and key pair in a single .pfx file. The main difference is that PCKS#12 is a password-protected container. Some server systems prompt you to enter a password during the CSR generation, and you can use it to open .pfx files.

Now that you know the SSL certificate formats and their multiple file extensions, it’s time to reveal what you’ve been really waiting for: how to convert an SSL certificate into any format.

As with most file conversions, there are different ways to approach them. The quickest one is to use an automatic SSL convert tool. All you have to do is pick your desired operation, for instance, PEM to PKCS#7 conversion, upload the files, and then hit Convert.

Alternatively, you can use the free Open SSL software library to convert your SSL files. This utility enables the SSL/TLS protocol on almost any server in existence. Many platforms and Linux distributions come with the Open SSL utility pre-installed. For Windows, you’ll have to get the installation package from here.

In OpenSSL run the following commands to convert your certs:

Convert X.509 to PEM

openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem

Convert DER to PEM (Binary encoding to Base64 ASCII)

openssl x509 -inform der -in certificatename.der -out certificatename.pem

Convert PEM to DER (Base65 ASCII to binary encoding)

openssl x509 -inform der -in certificatename.der -out certificatename.pem

Convert PEM to PKCS#7 (the .p7b file does not include the private key)

openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer

Convert PKCS#7 to PEM

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem

Convert PKCS#12 to PEM (PKCS#12 file is password-protected)

openssl pkcs12 -in certificatename.pfx -out certificatename.pem

Convert PKCS7 to PKCS12

This requires two steps. You’ll first convert the P7B file to CER and then combine CER and Private Key into PFX.

  1. openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
  2. openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer

That’s pretty much it. Now you can quickly convert and install on your server any type of SSL file.