NOTE: Please note that, this is a RIP OFF from the website http://www.sslshopper.com. Thanks for http://www.sslhopper.com for the valuable information provided. If anyone has any complaints, please contact me.
Different Platforms & Devices requires SSL certificates in different formats
eg:- A Windows Server uses .pfx files
An Apache Server uses .crt, .cer files
NOTE: Only way to tell the difference between PEM .cer and DER .cer is to open the file in a Text editor and look for the BEGIN/END statements.
PEM Format
It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.
Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.
> They are Base64 encoded ACII files
> They have extensions such as .pem, .crt, .cer, .key
> Apache and similar servers uses PEM format certificates
DER Format
It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format
> They are Binary format files
> They have extensions .cer & .der
> DER is typically used in Java platform
P7B/PKCS#7
They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.
> They are Base64 encoded ASCII files
> They have extensions .p7b, .p7c
> Several platforms supports it. eg:- Windows OS, Java Tomcat
PFX/PKCS#12
They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
> They are Binary format files
> They have extensions .pfx, .p12
> Typically used on Windows OS to import and export certificates and Private keys
Converting Certificates between different Formats
PEM
Convert PEM to DER
—————————————————————————————————–
$ openssl x509 -outform der -in certificate.pem -out certificate.der
—————————————————————————————————–
Convert PEM to P7B
———————————————————————————————————————————
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer
———————————————————————————————————————————-
Convert PEM to PFX
——————————————————————————————————————————————————
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt
——————————————————————————————————————————————————
DER
Convert DER to PEM
————————————————————————————————–
$ openssl x509 -inform der -in certificate.cer -out certificate.pem
————————————————————————————————–
P7B
Convert P7B to PEM
————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
————————————————————————————————-
Convert P7B to PFX
——————————————————————————————————————————————————-
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer
——————————————————————————————————————————————————-
PFX
Convert PFX to PEM
——————————————————————————————–
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes
——————————————————————————————–
NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.
Thanks a bunch, I’ve been searching for hours on how to do PKCS to PEM.
Do you know how to do this in Windows certutil ?
Hi…What if a pem file contains a chain of certificates and i want to convert that entire chain to DER format? How could i do that using OpenSSL or some other library?
Have you found out how to do this? I have a similar requirement to convert a file with several certificates in PEM format to an equivalent DER?
This is very useful! I found this page while looking for PEM to PKCS#7 conversion command, but the outline of the differences between the different formats is very handy as well. Thanks!
All it can do certutil.exe in Windows Server 2008/Vista and later – http://technet.microsoft.com/ru-ru/library/cc732443(v=ws.10).aspx
The Java keytool can also be used for converting certifacte formats. Howover you need to create a keystore first. Source:
http://www.devops-insight.com/2014/09/convert-certificates-pem-der.html?m=1
[…] How to Convert certificates between PEM, DER, P7B/PKCS#7, PFX/PKCS#12 […]
Excellent reference. I was stuck trying to convert a DER to PFX without first extracting the PEM. THANK YOU.
thank u so mutch for this … helped a lot
You can also use the java keytool if openssl is not available on your system:
Source: http://www.devops-insight.com/2014/09/convert-certificates-pem-der.html
where to type this commands?
Thank you!
[…] How to Convert certificates between PEM, DER, P7B/PKCS#7, PFX/PKCS#12 | My Online Storage of Knowled…. […]
[…] https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pf… […]