Skip to content

Formats

PEM Format

  • Encoded in Base64 ASCII.
  • Requires separate files for certificates and private keys.
  • Common extensions: .cer, .crt, .pem, .key.

DER Format

  • A binary format of certificates.
  • Lacks the "BEGIN/END CERTIFICATE" statements found in PEM files.
  • Common extensions: .cer, .der.
  • Often used with Java platforms.

P7B/PKCS#7 Format

  • Stored in Base64 ASCII, with extensions .p7b or .p7c.
  • Contains only certificates and chain certificates, excluding the private key.
  • Supported by Microsoft Windows and Java Tomcat.

PFX/P12/PKCS#12 Format

  • A binary format that encapsulates server certificates, intermediate certificates, and private keys in one file.
  • Extensions: .pfx, .p12.
  • Mainly used on Windows for certificate import and export.

Converting Formats

PEM conversions are essential for compatibility:

  • x509 to PEM 

    openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem

  • PEM to DER 

    openssl x509 -outform der -in certificatename.pem -out certificatename.der

  • DER to PEM 

    openssl x509 -inform der -in certificatename.der -out certificatename.pem

  • PEM to P7B 

    openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer

  • PKCS7 to PEM 

    openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem

  • PFX to PEM 

    openssl pkcs12 -in certificatename.pfx -out certificatename.pem

  • PFX to PKCS#8

    • Convert PFX to PEM 
      openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem
    • Convert PEM to PKCS8 
      openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8

  • P7B to PFX

    • Convert P7B to CER 
      openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer
    • Convert CER and Private Key to PFX 
      openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer

Types of certificates

Self-signed

Wildcard

*.domain.local will secure anything.domain.local but not a multi-level subdomain like something.somethingelse.domain.local

Sources