Yesterday we needed to convert the SSL x.509 certificate received from an authorized CA from crt to pem to make it compatible with specific software. In this article, we’ll show you the easiest way to convert your certificate file from the .crt to .pem format.
X.509 SSL certificates can be issued in various formats:
- .CRT or .CER—certificate;
- .DER—distinguished encoding rules;
- .PEM—privacy-enhanced electronic mail.
PEM is the most popular SSL certificate format issued by certification authority centers with different file extensions such as .pem, .crt, .cer or .key. Certificate files have the extension .pem, .crt, .cer, and .key. Files are encoded in the Base64 and necessarily start with the line “—– BEGIN CERTIFICATE —–” and end with the line “—– END CERTIFICATE —–“.
PEM certificate can contain both the certificate and the certificate private key in the same file. The PEM certificates are encoded in the text ASCII Base64 format, and you can view them in any text editor. Apache, Nginx, and similar web servers are using the SSL certificates in the PEM file format.
Note. Web Server IIS on Windows Server uses a different certificate format — .pfx.
DER is a binary certificate file. Certificate files in this format often have a .cer file extension, but you can also find a .der extension. As a rule, DER certificate format is used on Java platforms.
First of all, check if your certificate file isn’t already in PEM format, but the file itself has a .crt extension. Try to open your .crt file using any text editor, or list its contents using PowerShell:
If the contents of the file start with —– BEGIN, and you can read it in a text editor, this indicates that the file already uses the base64 format, which can be read in ASCII (the file is not in binary format).
This means your certificate is already in the PEM format. Just change the file extension from .crt to .pem in the Windows File Explorer.
How to Convert CRT SSL Certificate to PEM on Windows?
In case your crt file is in binary format, you can convert it using the OpenSSL utility for Windows (in this case we used the open SSL port gnuwin32, version 0.9.8h).
Download the archive with OpenSSL binaries (openssl-0.9.8h-1-bin.zip) and extract it to a local folder (for example C:\OpenSSL). Copy your .crt file to the same directory. After that, run the command prompt with administrator privileges and go to the folder:
If the crt file is in binary format, then run the following command to convert it to PEM format:
Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem
Change certificates file names to your own. This command helps you to convert a DER certificate file (.crt, .cer, .der) to PEM.
Note. When you are converting your certificate files to different formats using OpenSSL, your certificate private data is secured, since it’s never stored by the OpenSSL during the file conversion.
After executing the command, the new file my_certificate.crt.pem should appear in the same folder. Open it and make sure it is encoded in Base64. This certificate can now be imported to your web server or anywhere you want.
If you run the openssl.exe tool and received an error: Unable to load config info from /usr/local/ssl/openssl.cnf, you need to set up a new Windows environment variable using the following command:
Then re-run your Command prompt window and try to execute a command to convert your certificate file from the CRT to PEM file format.
On Windows 10/Windows Server 2016 you can convert CER to the DER (PEM) certificate file format from the Windows build-in certificate export tool.
- Run the File Explorer, locate and double click your .cer file;
- In the certificate properties window go to the Details tab and click on the “Copy to File” button;
- Press Next on the first step of Certificate Export Wizard;
- Now you need to select the certificate export format. Select the option “BASE-64 encoded X.509 (.CER)” and click Next;
- Specify the file name;
- Press the Finish button;
- Now you can change your certificate file extension from .cer to .pem. You can use the following PowerShell command:
rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem
- Ensure that the file format is Base64:
Convert CRT SSL Certificate to PEM Format on Linux
Let’s look at how to convert CRT/DER certificate file to the PEM format on Linux. First, you need to install the OpenSSL package.
On RedHat/CentOS/Fedora you can install OpenSSL as follows:
yum install openssl
Note. In this case the openssl-1:1.1.1c-2.el8.x86_64 package is already installed.
On Debian/Ubuntu distros, you can install this package using the APT:
apt-get install openssl
To convert your CER file to PEM format using openssl, run the following command:
openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem
tstcert.cer — source certificate file;
tstcert.pem — target pem file.