Converting CRT to PEM Format

Yesterday we needed to convert the SSL x.509 certificates received from an authorized CA from crt to pem to make it compatible with specific software. In this article, we’ll show you the easiest way to convert your certificate file from the .crt to. pem format.

X.509 SSL certificates can be issued in various formats:

  • .CRT or .CER — certificate;
  • .DER — distinguished encoding rules;
  • .PEM — privacy-enhanced electronic mail.

PEM (Privacy Enhanced Mail) is the most popular X.509 SSL certificate format issued by certification authority centers with different file extensions such as .pem, .crt, .cer or .key. Certificate files have the extension .pem, .crt, .cer, and .key. Files are encoded in the Base64 and necessarily start with the line “—– BEGIN CERTIFICATE —–” and end with the line “—– END CERTIFICATE —–“.

In fact, the PEM file format is a container that can also contain the public certificate or the entire certificate chain (private and public keys, root certificates) in the same file.

If the PEM certificate file contains a private key, it will contain an additional section:

----- BEGIN PRIVATE KEY -----

----- END PRIVATE KEY ------

The PEM public key format contains the following header and footer lines:

— — -BEGIN PUBLIC KEY — — -

— — -END PUBLIC KEY — — —

The PEM certificates are encoded in the text ASCII Base64 format, and you can view them in any text editor. Apache, Nginx, and similar web servers are using the SSL certificates in the PEM file format.

Note. Web Server IIS on Windows Server uses a different certificate format — .pfx.

DER is a binary certificate file. Certificate files in this format often have a .cer file extension, but you can also find a .der extension. As a rule, the DER certificate format is used on Java platforms.

Common certificate file extensions:

  • .CRT — an extension for certificate files. The certificate itself can be a binary (.DER) or ASCII — (.PEM). The .CER and .CRT extensions are synonyms. This type of certificate file is most commonly used on UNIX/ Linux operating systems;
  • .CER — alternative form of .CRT from Microsoft;
  • .KEY — this file extension is used for PKCS#8 public and private keys, which can be stored in binary .DER or ASCII .PEM format.

First of all, check if your certificate file isn’t already in PEM format, but the file itself has a .crt extension. Try to open your .crt file using any text editor, or list its contents using PowerShell:

gc .\cert.crt

If the contents of the file start with —– BEGIN, and you can read it in a text editor, this indicates that the file already uses the base64 format, which can be read in ASCII (the file is not in binary format).

convert crt to pem

This means your certificate is already in the PEM format. Just change the file extension from .crt to .pem in the Windows File Explorer.

In order to convert SSL certificate files, you need to use third-party tools. The most commonly used conversion tool is OpenSSL.

Note. OpenSSL is a toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols (also a general-purpose cryptography library). Converting using the OpenSSL library is considered one of the safest ways: all data will be saved directly on the device on which the conversion operations will be performed.

With OpenSSL you can print out information about a certificate file:

openssl x509 -in /root/cert.pem –text

crt to pem

How to Convert CRT SSL Certificate to PEM on Windows?

In case your crt file is in binary format, you can convert it using the OpenSSL utility for Windows (in this case we used the open SSL port gnuwin32, version 0.9.8h).

Download the archive with OpenSSL binaries (openssl-0.9.8h-1-bin.zip) and extract it to a local folder (for example C:\OpenSSL). Copy your .crt file to the same directory. After that, run the command prompt with administrator privileges and go to the folder:

cd C:\OpenSSL\bin

If the crt file is in binary format, then run the following command to convert it to PEM format:

Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem

Change certificate file names to your own. This command helps you to convert a DER certificate file (.crt, .cer, .der) to PEM.

Note. When you are converting your certificate files to different formats using OpenSSL, your certificate private data is secured, since it’s never stored by the OpenSSL during the file conversion.

After executing the command, the new file my_certificate.crt.pem should appear in the same folder. Open it and make sure it is encoded in Base64. This certificate can now be imported to your web server or anywhere you want.

convert .crt to .pem

If you run the openssl.exe tool and receive an error: Unable to load config info from /usr/local/ssl/openssl.cnf, you need to set up a new Windows environment variable using the following command:

Set OPENSSL_CONF=C:\openssl\share\openssl.cnf

convert crt to pem windows

Then re-run your Command prompt window and try to execute a command to convert your certificate file from the CRT to PEM file format.

On Windows 10/Windows Server 2016 you can convert CER to the DER (PEM) certificate file format from the Windows build-in certificate export tool.

  1. Run the File Explorer, locate and double-click your .cer file;
    crt to pem windows
  2. In the certificate properties window go to the Details tab and click on the “Copy to File” button;
    openssl convert crt to pem
  3. Press Next on the first step of Certificate Export Wizard;
  4. Now you need to select the certificate export format. Select the option “BASE-64 encoded X.509 (.CER)” and click Next;
    .crt to .pem
  5. Specify the file name;
    openssl crt to pem
  6. Press the Finish button;
    how to convert crt to pem
  7. Now you can change your certificate file extension from .cer to .pem. You can use the following PowerShell command:
    rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem
  8. Ensure that the file format is Base64:
    cat c:\ps\new_cert.pem

    how to convert .crt to .pem

Convert CRT SSL Certificate to PEM Format on Linux

Let’s look at how to convert CRT/DER certificate file to the PEM format on Linux. First, you need to install the OpenSSL package.

On RedHat/CentOS/Fedora you can install OpenSSL as follows:

yum install openssl

Note. In this case the openssl-1:1.1.1c-2.el8.x86_64 package is already installed.

how to convert crt to pem format

On Debian/Ubuntu distros, you can install this package using the APT:

apt-get install openssl

To convert your CER file to PEM format using OpenSSL, run the following command:

openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem

tstcert.cer — source certificate file;
tstcert.pem — target pem file.

crt to pem converter

Some more examples of using OpenSSL to convert various certificate file formats:

PEM to DER:

openssl x509 -outform der -in certificate.pem -out certificate.der

PKCS#12 with private key to PEM:

openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes

PEM and private key files to PKCS#12:

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

PEM to DER:

openssl x509 -outform der -in certificate.pem -out certificate.der

PEM to PKCS#7 (.p7b, .p7c)

openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile CAcert.cer

Using Openssl-ToolKit to Convert CRT Certificate File

If you are uncomfortable with the OpenSSL command line, you can use the OpenSSL ToolKit script to convert the certificates. OpenSSL ToolKit script is a simple wrapper tool for OpenSSL CLI to help automate common certificate management tasks. When using this script, certificates and keys are processed directly on the host and are not transferred anywhere.

  1. Run the following command to install the OpenSSL ToolKit script on Linux:
    echo https://github.com/tdharris/openssl-toolkit/releases/download/1.1.0/openssl-toolkit-1.1.0.zip \
    
    | xargs wget -qO- -O tmp.zip && unzip -o tmp.zip && rm tmp.zip && ./openssl-toolkit/openssl-toolkit.sh
  2. Select 2 > Enter in order to convert certificate file.
    how to convert .crt to .pem in windows
  3. Select the type of conversion (4. DER to PEM).
    convert crt to pem openssl
  4. Enter the name of the certificate file: /root/cert.cer.
  5. Specify the name of the file to convert to and press Enter.
  6. The script will convert the certificate file.
I enjoy technology and developing websites. Since 2012 I'm running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Cyril Kardashevsky

One comment

  1. Thank you, this is the best explanation of the formats I have seen, and it answered my simple question about a PEM format that has a crt extension.

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.