You’ve just received your SSL certificate files and notice two extensions: .crt and .cer. Your server expects one, your certificate authority (CA) sent the other. Before you start troubleshooting, here’s the short answer: both file extensions hold the same X.509 certificate data, and the difference is mostly a naming convention.
But “mostly” is doing some heavy lifting in that sentence. Platform preferences, encoding formats, and server configurations can turn a simple rename into a failed installation. This guide breaks down exactly what .CRT and .CER files are, how they differ, and how to convert between them without breaking anything.
Table of Contents
- What Is a .CRT File?
- What Is a .CER File?
- CRT vs CER: What’s Actually Different?
- PEM vs DER: The Encoding That Actually Matters
- How to Tell Which Encoding You Have
- How to Convert Between CRT and CER
- Other Certificate File Formats You Should Know
- Which Extension Should You Use?
- FAQ
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
What Is a .CRT File?
A .CRT file is a certificate file that stores an X.509 public key certificate. It contains the certificate holder’s public key, identity information (like the domain name or organization), and the digital signature of the CA that issued it.
The .CRT extension is the default on Unix and Linux systems. If you’ve set up SSL/TLS on Apache, Nginx, or most other Linux-based web servers, you’ve likely worked with .CRT files. They’re almost always encoded in PEM format — a Base64 ASCII text file you can open in any text editor. You’ll see content wrapped between —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—– headers.
What Is a .CER File?
A .CER file also stores an X.509 public key certificate with the same data — public key, identity details, and a CA signature. The contents are identical to what’s in a .CRT file.
The .CER extension is more common on Windows systems. When you export certificates from Microsoft IIS, Windows Certificate Manager, or Active Directory Certificate Services, the default output is a .CER file. These files can be in either PEM format (Base64 text) or DER format (binary). The encoding depends on how the file was exported, not on the file extension itself.
CRT vs CER: What’s Actually Different?
Technically, there is no functional difference between .CRT and .CER files. Both hold X.509 certificates, both can use PEM or DER encoding, and both serve the same purpose in SSL/TLS configurations. The distinctions come down to convention, platform defaults, and server expectations.
| Feature | .CRT | .CER |
| Certificate data | X.509 public key certificate | X.509 public key certificate |
| Common platform | Unix / Linux | Windows |
| Typical encoding | PEM (Base64 ASCII) | DER (binary) or PEM |
| Used by | Apache, Nginx, OpenSSL | IIS, Windows tools, Java (DER) |
| Human-readable? | Yes (when PEM) | Only when PEM-encoded |
| Contains private key? | No (public cert only) | No (public cert only) |
| Interchangeable? | Yes | Yes |
Key Takeaway: The file extension doesn’t determine the encoding. A .CER file can be PEM-encoded, and a .CRT file can be DER-encoded. What matters is the content of the file, not the extension.
PEM vs DER: The Encoding That Actually Matters
Since .CRT and .CER are essentially the same thing, the real distinction to understand is between the two encoding formats that both extensions can use: PEM and DER.
PEM (Privacy-Enhanced Mail) is a text-based format that encodes certificate data in Base64 ASCII. PEM files are human-readable — you can open them in Notepad, VS Code, or any text editor and see the Base64 content between BEGIN/END headers. PEM is the standard format for Apache, Nginx, and most open-source server software.
DER (Distinguished Encoding Rules) is the binary equivalent. DER files contain the same certificate data but in raw binary, so they’re not readable in a text editor. DER encoding is common in Java-based environments and Windows certificate stores.
| Feature | PEM | DER |
| Encoding | Base64 ASCII text | Binary |
| Readable in text editor? | Yes | No |
| File size | Slightly larger | Smaller |
| Common extensions | .crt, .cer, .pem | .cer, .der |
| Typical platforms | Linux, Apache, Nginx | Windows, Java |
| Can store multiple certs? | Yes (chained in one file) | No (single cert per file) |
How to Tell Which Encoding You Have
You can’t always tell the encoding from the file extension alone. But there are two quick ways to check:
1. Open the file in a text editor. If you see —–BEGIN CERTIFICATE—– followed by a block of Base64 text, it’s PEM-encoded. If the file looks like gibberish or garbled characters, it’s DER-encoded.
2. Use OpenSSL to inspect it. Run the following command to attempt reading the file as PEM:
openssl x509 -in certificate.crt -text -nooutIf that returns an error, try reading it as DER:
openssl x509 -in certificate.cer -inform der -text -nooutWhichever command returns the certificate details tells you the encoding format.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
How to Convert Between CRT and CER
The conversion process depends on whether you’re changing just the file extension or also converting the encoding format.
Same Encoding — Just Rename
If both files use the same encoding (both PEM or both DER), you can rename the extension directly. No data changes are needed:
Linux / macOS
mv certificate.crt certificate.cerWindows (Command Prompt)
ren certificate.crt certificate.cerPEM to DER (and Vice Versa)
If you need to change the encoding — for instance, your server expects a DER-encoded .CER, but you have a PEM-encoded .CRT — use OpenSSL:
Convert PEM (.CRT) to DER (.CER):
openssl x509 -in certificate.crt -outform der -out certificate.cerConvert DER (.CER) to PEM (.CRT):
openssl x509 -in certificate.cer -inform der -outform pem -out certificate.crtUsing Windows Certificate Export Wizard
If you prefer a GUI approach on Windows:
- Double-click the certificate file to open it.
- Go to the Details tab and click Copy to File.
- In the Certificate Export Wizard, choose either DER encoded binary X.509 (.CER) or Base-64 encoded X.509 (.CER), then save with your desired extension.
Troubleshooting Tip: If your server rejects the certificate after conversion, double-check the encoding format — not just the extension. A .CER file in PEM format won’t work where DER is expected, even if the extension is correct.
Other Certificate File Formats You Should Know
Beyond .CRT and .CER, you’ll encounter several other certificate file extensions during SSL management. Here’s a quick reference:
| Extension | Format | Use Case |
| .PEM | Base64 ASCII text | General-purpose; can hold certificates, private keys, and cert chains |
| .DER | Binary | Single certificate in binary; common in Java environments |
| .PFX / .P12 | Binary (PKCS#12) | Bundles certificate + private key + chain in one password-protected file |
| .P7B / .P7C | Base64 ASCII (PKCS#7) | Certificate chain only — no private key; used in Windows and Java |
| .KEY | PEM or DER | Private key file (not a certificate, but often paired with .CRT) |
Among these, .PFX (PKCS#12) files deserve special attention. Unlike .CRT and .CER — which contain only the public certificate — PFX files bundle the certificate, private key, and intermediate certificates into a single encrypted file. You’ll often use PFX when importing certificates into Windows IIS or exporting them for backup.
Which Extension Should You Use?
The answer depends on your server and operating system:
Use .CRT if you’re running Apache, Nginx, or any other Linux/Unix-based web server. These platforms expect PEM-encoded certificates, and the .CRT extension is the standard convention.
Use .CER if you’re working with Microsoft IIS, Windows Server, or other Windows-based systems. The .CER extension is what Windows tools generate and expect by default.
Check your server documentation when in doubt. Some platforms are flexible and accept either extension. Others are strict about file naming. Your hosting provider’s documentation or SSL installation guide will specify exactly what’s needed.
FAQ
Are .CRT and .CER files the same?
Functionally, yes. Both store X.509 public key certificate data and can use either PEM or DER encoding. The difference is a naming convention: .CRT is standard on Linux/Unix, .CER on Windows.
Can I just rename .CRT to .CER?
If both use the same encoding format, yes. But if you need to change from PEM to DER encoding (or vice versa), use OpenSSL to convert the file contents, not just the extension.
Do .CRT or .CER files contain the private key?
No. Both extensions store only the public certificate. Private keys are kept in separate files (usually .KEY) or bundled into PKCS#12 (.PFX/.P12) containers.
What encoding does my server need?
Apache and Nginx typically need PEM encoding. Microsoft IIS and Java applications often use DER. Check your server’s SSL configuration documentation for specific requirements.
Bottom Line
The CRT vs CER debate is more about naming conventions than technical differences. Both extensions store X.509 certificates, and both can be encoded in PEM or DER format. What matters is matching the right encoding to your server’s requirements — and OpenSSL makes conversion simple.
If you need a reliable SSL certificate for your website, SSL Dragon offers a wide range of trusted certificates from top CAs like DigiCert, Sectigo, and GeoTrust. Whether you’re on Apache, Nginx, or IIS, you’ll get the right files along with step-by-step installation support. Browse SSL certificates at ssldragon.com and secure your site today.
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
