Yesterday we needed to convert the SSL x.509 certificates from CRT to PEM received from an authorized CA. It makes it compatible with specific software. In this article, we’ll show you the easiest way to convert your certificate file from the .crt to. pem format.
X.509 SSL certificates can be issued in various formats:
- CRT or CER — Certificate;
- DER — Distinguished Encoding Rules;
- PEM — Privacy-Enhanced Mail;
- P7B (PKCS#7) — Pkcs #7 Certificate File;
- PFX (PKCS#12) — Personal exchange format.
PEM (Privacy Enhanced Mail) is the most popular X.509 SSL certificate format issued by certification authority centers with different file extensions such as .pem, .crt, .cer or .key. Certificate files have the extension .pem, .crt, .cer, and .key. Files are encoded in the Base64 and necessarily start with the line “—– BEGIN CERTIFICATE —–” and end with the line “—– END CERTIFICATE —–“.
In fact, the PEM file format is a container that can also contain the public certificate or the entire certificate chain (private and public keys, root certificates) in the same file.
If the PEM certificate file contains a private key, it will contain an additional section:
----- BEGIN PRIVATE KEY -----
----- END PRIVATE KEY ------
The PEM public key format contains the following header and footer lines:
— — -BEGIN PUBLIC KEY — — -
— — -END PUBLIC KEY — — —
The PEM certificates are encoded in the text ASCII Base64 format, and you can view them in any text editor. Apache, Nginx, and similar web servers are using SSL certificates in the PEM file format.
Note. Web Server IIS on Windows Server uses a different certificate format — .pfx.
DER is a binary certificate file. Certificate files in this format often have a .cer file extension, but you can also find a .der extension. As a rule, the DER certificate format is used on Java platforms.
P7B/PKCS#7. P7B certificate files are Base64 encoded and have a .p7b or .p7c extension. Such a file contains only a certificate and a chain of certificates, but not a private key. You can install P7B certificates on Windows and Java Tomcat.
P7B certificate files contain the lines:
PFX/ PKCS#12 — this is a certificate in binary format, includes a certificate, a chain of certificates (root certificates), and a private key. They have a .pfx or .p12 extension. PFX certificates are suitable for installation on Internet Information Services (IIS) on Windows Server.
Common certificate file extensions:
- .CRT — an extension for certificate files. The certificate itself can be a binary (.DER) or ASCII (.PEM). The .CER and .CRT extensions are synonyms. This type of certificate file is most commonly used on UNIX/Linux operating systems;
- .CER — alternative form of .CRT from Microsoft;
- .KEY — this file extension is used for PKCS#8 public and private keys, which can be stored in binary .DER or ASCII .PEM format;
- .PFX — certificate file in PFX binary format;
- .P7B — certificate file in PKCS#7 base64 format.
First of all, check if your certificate file isn’t already in PEM format, but the file itself has a .crt extension. Try to open your .crt file using any text editor, or list its contents using PowerShell:
If the contents of the file start with —– BEGIN, and you can read it in a text editor, this indicates that the file already uses the base64 format, which can be read in ASCII (the file is not in binary format).
This means your certificate is already in the PEM format. Just change the file extension from .crt to .pem in the Windows File Explorer.
In order to convert SSL certificate files, you need to use third-party tools. The most commonly used conversion tool is OpenSSL.
Note. OpenSSL is a toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols (also a general-purpose cryptography library). Converting certificates using the OpenSSL library is considered one of the safest ways: all data will be saved directly on the device on which the conversion operations will be performed.
You can view certificate file information using OpenSSL:
openssl x509 -in /root/cert.pem –text
How to Convert CRT SSL Certificate to PEM on Windows?
On Windows, there are several ways to convert an SSL certificate file from one format to another.
- With built-in Certificate Export Wizard;
- Using the PSPKI PowerShell module;
- With openssl ports for Windows.
Use the Certificate Export Wizard to Change CRT File Format
On Windows 10/11 and Windows Server 2022/2019/2016, you can convert CER to the DER (PEM) certificate file format from the Windows build-in certificate export tool.
- Run the File Explorer, locate and double-click your .cer file;
- In the certificate properties window go to the Details tab and click on the “Copy to File” button;
- Press Next on the first step of Certificate Export Wizard;
- Now you need to select the certificate export format. Select the option “BASE-64 encoded X.509 (.CER)” and click Next;
- Specify the file name;
- Press the Finish button;
- Now you can change your certificate file extension from .cer to .pem. You can use the following PowerShell command:
rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem
- Ensure that the file format is Base64:
Convert SSL Certificates on Windows using PowerShell
Several built-in PowerShell cmdlets are available to export installed certificates from the local cert store to various file formats. To export a certificate, you need to specify its FriendlyName or Thumbprint:
Export Cert to PFX:
$mypwd = ConvertTo-SecureString -String "123456" -Force -AsPlainText
$mycert | Export-PfxCertificate -FilePath C:\ps\mypfx.pfx -Password $mypwd
Export Cert to CER:
$mycert | Export-Certificate -Type cer -FilePath c:\ps\mypfx.cer -Force
Export Cert to P7B:
$mycert |Export-Certificate -Type p7b -FilePath c:\ps\mypfx.p7b -Force
Export Cert to SST (as CER):
$mycert | Export-Certificate -Type SST -FilePath c:\ps\mypfx.sst -Force
To manage and convert SSL certificates on Windows, you can use the PSPKI (PowerShell PKI Module) module. You can install PSPKI from PSGallery:
Install-Module -Name PSPKI
After installation, you need to import the module into the session:
There are two cmdlets available in the PSPKI module to change the certificate file format:
You can get information about the certificate file:
Show-Certificate -Certificate "C:\PS\Certs\server1-der.cer"|fl
To convert a PFX certificate to PEM format, run the command:
Convert-PfxToPem -InputFile "C:\PS\Certs\server1.cer” -OutputFile ‘"C:\PS\Certs\server1.pem"
If you try to convert a DER certificate to PEM in this way, an error will appear:
Input file is not valid PKCS#12/PFX file
Converting SSL Certificate Format Using OpenSSL for Windows
In case your crt file is in binary format, you can convert it using the OpenSSL utility for Windows (in this case we used the open SSL port gnuwin32, version 0.9.8h).
Download the archive with OpenSSL binaries (openssl-0.9.8h-1-bin.zip) and extract it to a local folder (for example C:\OpenSSL). Copy your .crt file to the same directory. Open the command prompt as an administrator and change the folder:
If the crt file is in binary format, then run the following command to convert it to PEM format:
Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem
Change certificate file names to your own. This command helps you to convert a DER certificate file (.crt, .cer, .der) to PEM.
Note. When you are converting your certificate’s files to different formats using OpenSSL, your certificate’s private data is secured, since it’s never stored by the OpenSSL during the file conversion.
After executing the command, the new file my_certificate.crt.pem should appear in the same folder. Open it and make sure it is encoded in Base64. This certificate can now be imported to your web server or anywhere you want.
If you run the openssl.exe tool and receive an error Unable to load config info from /usr/local/ssl/openssl.cnf, you need to set up a new Windows environment variable using the following command:
Then re-run your Command prompt window and try to execute a command to convert your certificate file from the CRT to PEM file format.
Convert CRT SSL Certificate to PEM Format on Linux
Let’s look at how to convert CRT/DER certificate file to the PEM format on Linux. First, you need to install the OpenSSL package.
On RedHat/CentOS/Fedora you can install OpenSSL as follows:
yum install openssl
Note. In this case the openssl-1:1.1.1c-2.el8.x86_64 package is already installed.
On Debian/Ubuntu distros, you can install this package using the APT:
apt-get install openssl
To convert your CER file to PEM format using OpenSSL, run the following command:
openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem
tstcert.cer — source certificate file;
tstcert.pem — target pem file.
Some more examples of using OpenSSL to convert various certificate file formats:
- PEM to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
- PKCS#12 with private key to PEM: openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
- PEM and private key files to PKCS#12: openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
- PEM to DER: openssl x509 -outform der -in certificate.pem -out certificate.der
- PEM to PKCS#7 (.p7b, .p7c): openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile CAcert.cer
- PEM to PFX: openssl pkcs12 -export -out site.pfx -inkey site.key -in site.crt -certfile site.ca-bundle (you will be prompted to set the password for the key).
- DER to PEM: openssl x509 -inform der -in site.der -out site.crt
- P7B to PEM: openssl pkcs7 -print_certs -in site.p7b -out site.cer
- P7B to PFX: openssl pkcs7 -print_certs -in site.p7b -out certificate.ceropenssl pkcs12 -export -in site.cer -inkey site.key -out site.pfx -certfile site.ca-bundle
- PFX to PEM: openssl pkcs12 -in site.pfx -out site.crt -nodes
Using Openssl-ToolKit to Convert CRT Certificate File
If you are uncomfortable with the OpenSSL command line, you can use the OpenSSL ToolKit script to convert the certificates. OpenSSL ToolKit script is a simple wrapper tool for OpenSSL CLI to help automate common certificate management tasks. When using this script, certificates and keys are processed directly on the host and are not transferred anywhere.
- Run the following command to install the OpenSSL ToolKit script on Linux:
echo https://github.com/tdharris/openssl-toolkit/releases/download/1.1.0/openssl-toolkit-1.1.0.zip \
| xargs wget -qO- -O tmp.zip && unzip -o tmp.zip && rm tmp.zip && ./openssl-toolkit/openssl-toolkit.sh
- To convert certificate file select 2 > Enter.
- Select the type of conversion (4. DER to PEM).
- Enter the name of the certificate file: /root/cert.cer.
- Specify the name of the file to convert to and press Enter.
- The script will convert the certificate file.