Converting CRT to PEM Format

Yesterday we needed to convert the SSL x.509 certificate received from an authorized CA from crt to pem to make it compatible with specific software. In this article, we’ll show you the easiest way to convert your certificate file from the .crt to .pem format.

X.509 SSL certificates can be issued in various formats:

  • .CRT or .CER—certificate;
  • .DER—distinguished encoding rules;
  • .PEM—privacy-enhanced electronic mail.

PEM is the most popular SSL certificate format issued by certification authority centers with different file extensions such as .pem, .crt, .cer or .key. Certificate files have the extension .pem, .crt, .cer, and .key. Files are encoded in the Base64 and necessarily start with the line “—– BEGIN CERTIFICATE —–” and end with the line “—– END CERTIFICATE —–“.

PEM certificate can contain both the certificate and the certificate private key in the same file. The PEM certificates are encoded in the text ASCII Base64 format, and you can view them in any text editor. Apache, Nginx, and similar web servers are using the SSL certificates in the PEM file format.

Note. Web Server IIS on Windows Server uses a different certificate format — .pfx.

DER is a binary certificate file. Certificate files in this format often have a .cer file extension, but you can also find a .der extension. As a rule, DER certificate format is used on Java platforms.

First of all, check if your certificate file isn’t already in PEM format, but the file itself has a .crt extension. Try to open your .crt file using any text editor, or list its contents using PowerShell:

gc .cert.crt

If the contents of the file start with —– BEGIN, and you can read it in a text editor, this indicates that the file already uses the base64 format, which can be read in ASCII (the file is not in binary format).

convert crt to pem

This means your certificate is already in the PEM format. Just change the file extension from .crt to .pem in the Windows File Explorer.

How to Convert CRT SSL Certificate to PEM on Windows?

In case your crt file is in binary format, you can convert it using the OpenSSL utility for Windows (in this case we used the open SSL port gnuwin32, version 0.9.8h).

Download the archive with OpenSSL binaries ( and extract it to a local folder (for example C:\OpenSSL). Copy your .crt file to the same directory. After that, run the command prompt with administrator privileges and go to the folder:

cd C:\OpenSSL\bin

If the crt file is in binary format, then run the following command to convert it to PEM format:

Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem

Change certificates file names to your own. This command helps you to convert a DER certificate file (.crt, .cer, .der) to PEM.

Note. When you are converting your certificate files to different formats using OpenSSL, your certificate private data is secured, since it’s never stored by the OpenSSL during the file conversion.

After executing the command, the new file my_certificate.crt.pem should appear in the same folder. Open it and make sure it is encoded in Base64. This certificate can now be imported to your web server or anywhere you want.

crt to pem

If you run the openssl.exe tool and received an error: Unable to load config info from /usr/local/ssl/openssl.cnf, you need to set up a new Windows environment variable using the following command:

Set OPENSSL_CONF=C:\openssl\share\openssl.cnf

convert .crt to .pem

Then re-run your Command prompt window and try to execute a command to convert your certificate file from the CRT to PEM file format.

On Windows 10/Windows Server 2016 you can convert CER  to the DER (PEM) certificate file format from the Windows build-in certificate export tool.

  1. Run the File Explorer, locate and double click your .cer file;
    openssl crt to pem
  2. In the certificate properties window go to the Details tab and click on the “Copy to File” button;
    .crt to .pem
  3. Press Next on the first step of Certificate Export Wizard;
  4. Now you need to select the certificate export format. Select the option “BASE-64 encoded X.509 (.CER)” and click Next;
    how to convert crt to pem
  5. Specify the file name;
    openssl convert crt to pem
  6. Press the Finish button;
    crt to pem converter
  7. Now you can change your certificate file extension from .cer to .pem. You can use the following PowerShell command:
    rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem
  8. Ensure that the file format is Base64:
    cat c:\ps\new_cert.pem

    how to convert .crt to .pem

Convert CRT SSL Certificate to PEM Format on Linux

Let’s look at how to convert CRT/DER certificate file to the PEM format on Linux. First, you need to install the OpenSSL package.

On RedHat/CentOS/Fedora you can install OpenSSL as follows:

yum install openssl

Note. In this case the openssl-1:1.1.1c-2.el8.x86_64 package is already installed.

crt to pem openssl

On Debian/Ubuntu distros, you can install this package using the APT:

apt-get install openssl

To convert your CER file to PEM format using openssl, run the following command:

openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem

tstcert.cer — source certificate file;
tstcert.pem — target pem file.

convert .crt to pem

I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

One comment

  1. Thank you, this is the best explanation of the formats I have seen, and it answered my simple question about a PEM format that has a crt extension.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.