SSL Certificate Formats and Certificate File Extensions: A Complete Guide

SSL Certificate Formats

It’s fairly easy to understand what an SSL certificate is and how it works. But when it comes to installing it on a server, sometimes, it may seem that you’re dealing with rocket science.

With so many SSL certificate formats tied to specific server requirements, you’re more likely to get confused and frustrated rather than configure your cert correctly from the get-go. But that’s about to change.

In this comprehensive guide, we’ll dissect each SSL certificate format and certificate file extensions and show you two ways how to convert different file types.


Table of Contents

  1. Certificate File Formats – The Basics
  2. SSL Certificates Formats and File Extensions
  3. SSL Format Conversion

Certificate File Formats – The Basics

Let’s start by covering the basics. All SSL certificates are x.509 certificates. This is the standard format of public-key certificates expressed in a formal language called Abstract Syntax Notation One. We won’t delve further into the X.509 structure; you can read about it on Wiki. We’re here to discuss SSL certificate formats such as DER, PEM, PKCS#7, and PKCS#12.

An easy way to distinguish them is to look at their encoding.

PEM and PKCS#7 use Base ASCII (American Standard Code for Information Interchange) encoding. This is a popular standard for files that contain text.

DER and PKCS#12 use binary encoding, a base 2 number system consisting only of zeros and ones.

Because of different formats and encoding, SSL certificates have many file extensions.


SSL Certificate Formats and File Extensions

Let’s closely inspect each format and its SSL certificate file extensions. You will discover the meaning behind each acronym and what system uses it the most.

DER Format

DER stands for Distinguished Encoding Rules, a binary encoding format, rarely used outside of Windows. It is contained in .der or .cer files.


PEM Format

PEM is the most popular SSL certificate format and the one you’ll likely encounter. The majority of CAs offer SSL certificates in PEM format with different certificate file extensions such as .pem, .crt, .cer, or .key. 

PEM Stands for Privacy-Enhanced Email, and you may be wondering what does Email have to do with an SSL certificate? Well, long story short, PEM failed at its primary job but found its application as a container format.

In essence, PEM files are Base64 encoded DER files where zeros and ones are encoded in a sequence of printable characters. This way you can open them with any text editor, including Notepad. 

A single .pem file can contain the server certificate, the intermediate certificate, and the private key. Alternatively, you may receive your server and intermediate certificates in a separate .crt or .cer file, while your private key may reside in a .key file.


PKCS#7 Format

PKCS stands for Public Key Cryptography Standards.

PKCS#7 is a multi-purpose SSL certificate format for the distribution of encrypted data. It’s mostly used on Windows platforms and Java Tomcat.

Today, we’re actually using its successor CMS (Cryptographic Message Syntax), but just like with SSL and TLS, the old name has become too familiar to replace.

PKSC#7 has two file extensions: .p7b, or p7c. Unlike PEM, PKCS#7 cannot store private keys, only primary and intermediate certificates.


PKCS#12 Format

PKCS#12 is another Public Cryptography Standard with enhanced security. Just like a PEM file, it can include the entire SSL certificate chain and key pair in a single .pfx file. The main difference is that PCKS#12 is a password-protected container.

Some server systems prompt you to enter a password during the CSR generation, and you can use it to open .pfx files.


SSL Format Conversion

Now that you know the SSL certificate formats and their multiple certificate file extensions, it’s time to reveal what you’ve been really waiting for – how to convert an SSL certificate into any format.

As with most file conversions, there are different ways to approach them. The quickest one is to use an automatic SSL converter tool. All you have to do is pick your desired operation, for instance, PEM to PKCS#7 conversion, upload the files, and then hit Convert.

Alternatively, you can use the free OpenSSL software library to convert your SSL files. This utility enables the SSL/TLS protocol on almost any server in existence. Many platforms and Linux distributions come with the OpenSSL utility pre-installed. For Windows, you’ll have to get the installation package.


Convert X.509 to PEM

To convert X.509 to PEM, run the following command in OpenSSL:

openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem


Convert DER to PEM

Binary encoding to Base64 ASCII.

To convert DER to PEM, run the following command:

openssl x509 -inform der -in certificatename.der -out certificatename.pem


Convert PEM to DER

Base65 ASCII to binary encoding.

To convert PEM to DER, run the following command:

openssl x509 -inform der -in certificatename.der -out certificatename.pem


Convert PEM to PKCS#7

The .p7b file does not include the private key.

To convert PEM to PKCS#7, run the following command:

openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer


Convert PKCS#7 to PEM

To convert PKCS#7 to PEM, run the following command:

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem


Convert PKCS#12 to PEM

PKCS#12 file is password-protected.

To convert PKCS#12 to PEM, run the following command:

openssl pkcs12 -in certificatename.pfx -out certificatename.pem


Convert PKCS7 to PKCS12

This requires two steps. You’ll first convert the P7B file to CER and then combine CER and Private Key into PFX.

  1. openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
  2. openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer

That’s pretty much it. Now you can quickly convert and install on your server any type of SSL file. 


Conclusion

Understanding SSL certificate formats, certificate file extensions, and how to convert them into your desired configuration is a valuable skill that will help you seamlessly install SSL certificates on any system.

Choosing the right SSL format will ensure steady encryption and secure connections on web servers, email clients, VPN appliances, and networks.

Frequently Asked Questions

What File Extension Is Used for an Exported Certificate Backup File?

The file extension used for an exported certificate backup file varies depending on the format and type of the certificate. The most common certificate backup files are .p12 and .pfx (Windows systems), .cer and .crt, and .key for backing up the private key.

Copy Link

What SSL Certificate File Types Does APACHE2 Take?

Apache uses the PEM certificate format with .cer .crt and .key file extensions.

Copy Link

How to Create the ssl-certificate.pem Format in Linux?

To create an SSL certificate in PEM format on Linux, you can use the OpenSSL toolkit and its command lines. Once you’ve received the SSL certificate from the CA, you can create the PEM format file by concatenating the private key and the SSL certificate together in a single file using the following command:

cat private.key your_ssl_certificate.crt > your_ssl_certificate.pem

Copy Link

How to Find the Format of an SSL Certificate?

Open your SSL file with any text editor. If you see the label “—–BEGIN CERTIFICATE—–” at the beginning of the certificate file and “—–END CERTIFICATE—–” at the end of the file, then the certificate is in PEM format. If the certificate is in DER format, it will not contain these labels and will instead be a binary file.

Copy Link

Which Certificate File Format Contains a Private Key?

The PKCS#12 or PFX format contains the certificates(S) and the private key. This format stores the private key and the associated certificate in a single encrypted file.

Copy Link

How to Export an SSL Certificate in .pfx Format?

We’ve written a detailed guide on how to import and export a PFX file in Microsoft IIS (Internet Information Services).

Copy Link

Save 10% on SSL Certificates when ordering from SSL Dragon today!

Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10

Written by

Experienced content writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Contribute to improving digital security through impactful narratives.