Yesterday we needed to convert the SSL x.509 certificates received from an authorized CA from crt to pem to make it compatible with specific software. In this article, we’ll show you the easiest way to convert your certificate file from the .crt to. pem format.
X.509 SSL certificates can be issued in various formats:
- .CRT or .CER — certificate;
- .DER — distinguished encoding rules;
- .PEM — privacy-enhanced electronic mail.
PEM (Privacy Enhanced Mail) is the most popular X.509 SSL certificate format issued by certification authority centers with different file extensions such as .pem, .crt, .cer or .key. Certificate files have the extension .pem, .crt, .cer, and .key. Files are encoded in the Base64 and necessarily start with the line “—– BEGIN CERTIFICATE —–” and end with the line “—– END CERTIFICATE —–“.
In fact, the PEM file format is a container that can also contain the public certificate or the entire certificate chain (private and public keys, root certificates) in the same file.
If the PEM certificate file contains a private key, it will contain an additional section:
----- BEGIN PRIVATE KEY ----- ----- END PRIVATE KEY ------
The PEM public key format contains the following header and footer lines:
— — -BEGIN PUBLIC KEY — — - — — -END PUBLIC KEY — — —
The PEM certificates are encoded in the text ASCII Base64 format, and you can view them in any text editor. Apache, Nginx, and similar web servers are using the SSL certificates in the PEM file format.
Note. Web Server IIS on Windows Server uses a different certificate format — .pfx.
DER is a binary certificate file. Certificate files in this format often have a .cer file extension, but you can also find a .der extension. As a rule, the DER certificate format is used on Java platforms.
Common certificate file extensions:
- .CRT — an extension for certificate files. The certificate itself can be a binary (.DER) or ASCII — (.PEM). The .CER and .CRT extensions are synonyms. This type of certificate file is most commonly used on UNIX/ Linux operating systems;
- .CER — alternative form of .CRT from Microsoft;
- .KEY — this file extension is used for PKCS#8 public and private keys, which can be stored in binary .DER or ASCII .PEM format.
First of all, check if your certificate file isn’t already in PEM format, but the file itself has a .crt extension. Try to open your .crt file using any text editor, or list its contents using PowerShell:
If the contents of the file start with —– BEGIN, and you can read it in a text editor, this indicates that the file already uses the base64 format, which can be read in ASCII (the file is not in binary format).
This means your certificate is already in the PEM format. Just change the file extension from .crt to .pem in the Windows File Explorer.
In order to convert SSL certificate files, you need to use third-party tools. The most commonly used conversion tool is OpenSSL.
Note. OpenSSL is a toolkit for Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols (also a general-purpose cryptography library). Converting using the OpenSSL library is considered one of the safest ways: all data will be saved directly on the device on which the conversion operations will be performed.
With OpenSSL you can print out information about a certificate file:
openssl x509 -in /root/cert.pem –text
How to Convert CRT SSL Certificate to PEM on Windows?
In case your crt file is in binary format, you can convert it using the OpenSSL utility for Windows (in this case we used the open SSL port gnuwin32, version 0.9.8h).
Download the archive with OpenSSL binaries (openssl-0.9.8h-1-bin.zip) and extract it to a local folder (for example C:\OpenSSL). Copy your .crt file to the same directory. After that, run the command prompt with administrator privileges and go to the folder:
If the crt file is in binary format, then run the following command to convert it to PEM format:
Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem
Change certificate file names to your own. This command helps you to convert a DER certificate file (.crt, .cer, .der) to PEM.
Note. When you are converting your certificate files to different formats using OpenSSL, your certificate private data is secured, since it’s never stored by the OpenSSL during the file conversion.
After executing the command, the new file my_certificate.crt.pem should appear in the same folder. Open it and make sure it is encoded in Base64. This certificate can now be imported to your web server or anywhere you want.
If you run the openssl.exe tool and receive an error: Unable to load config info from /usr/local/ssl/openssl.cnf, you need to set up a new Windows environment variable using the following command:
Then re-run your Command prompt window and try to execute a command to convert your certificate file from the CRT to PEM file format.
On Windows 10/Windows Server 2016 you can convert CER to the DER (PEM) certificate file format from the Windows build-in certificate export tool.
- Run the File Explorer, locate and double-click your .cer file;
- In the certificate properties window go to the Details tab and click on the “Copy to File” button;
- Press Next on the first step of Certificate Export Wizard;
- Now you need to select the certificate export format. Select the option “BASE-64 encoded X.509 (.CER)” and click Next;
- Specify the file name;
- Press the Finish button;
- Now you can change your certificate file extension from .cer to .pem. You can use the following PowerShell command:
rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem
- Ensure that the file format is Base64:
Convert CRT SSL Certificate to PEM Format on Linux
Let’s look at how to convert CRT/DER certificate file to the PEM format on Linux. First, you need to install the OpenSSL package.
On RedHat/CentOS/Fedora you can install OpenSSL as follows:
yum install openssl
Note. In this case the openssl-1:1.1.1c-2.el8.x86_64 package is already installed.
On Debian/Ubuntu distros, you can install this package using the APT:
apt-get install openssl
To convert your CER file to PEM format using OpenSSL, run the following command:
openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem
tstcert.cer — source certificate file;
tstcert.pem — target pem file.
Some more examples of using OpenSSL to convert various certificate file formats:
PEM to DER:
openssl x509 -outform der -in certificate.pem -out certificate.der
PKCS#12 with private key to PEM:
openssl pkcs12 -in keyStore.pfx -out keyStore.pem -nodes
PEM and private key files to PKCS#12:
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt
PEM to DER:
openssl x509 -outform der -in certificate.pem -out certificate.der
PEM to PKCS#7 (.p7b, .p7c)
openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile CAcert.cer
Using Openssl-ToolKit to Convert CRT Certificate File
If you are uncomfortable with the OpenSSL command line, you can use the OpenSSL ToolKit script to convert the certificates. OpenSSL ToolKit script is a simple wrapper tool for OpenSSL CLI to help automate common certificate management tasks. When using this script, certificates and keys are processed directly on the host and are not transferred anywhere.
- Run the following command to install the OpenSSL ToolKit script on Linux:
echo https://github.com/tdharris/openssl-toolkit/releases/download/1.1.0/openssl-toolkit-1.1.0.zip \ | xargs wget -qO- -O tmp.zip && unzip -o tmp.zip && rm tmp.zip && ./openssl-toolkit/openssl-toolkit.sh
- Select 2 > Enter in order to convert certificate file.
- Select the type of conversion (4. DER to PEM).
- Enter the name of the certificate file: /root/cert.cer.
- Specify the name of the file to convert to and press Enter.
- The script will convert the certificate file.