PEM Format (*.pem \ *.crt \ *.cer \ *.key)
The PEM format is a base64 encoded file format representing an X.509 certificate, or the certificate you are presented in your browser. If you open the certificate file in a text editor and it looks like a long block of text beginning with -----BEGIN CERTIFICATE-----
, then it is likely in PEM format. PEM files can also contain private keys, but are usually seperate from their public key counterpart.
View Public Key
1
| openssl x509 -in mycert.pem -text -noout
|
View Private Key
1
2
| # If encrypted, you will be prompted for the private key password
openssl pkey -in mypriv.key -text -noout
|
Convert to DER (*.cer \ *.der)
1
| openssl x509 -in mycert.pem -outform der -out mycert.cer
|
Convert to PKCS7 (*.p7b)
1
| openssl crl2pkcs7 -nocrl -certfile mycert.pem -out mycert.p7b
|
Convert to PKCS12 (*.pfx)
Linux or macOS
1
2
3
| # If encrypted, you will be prompted for the private key password
# You will be prompted to provide a password for the PFX file
openssl pkcs12 -export -in mycert.pem -inkey mypriv.key -out mycert.pfx
|
Windows
Note: Certutil looks for a *.key file matching the name of the *.crt file. Ensure that the *.crt and *.key files have the same name (ie. mycert.crt and mycert.key).
1
| certutil -mergepfx mycert.crt mycert.pfx
|
DER Format (*.cer \ *.der)
The DER format is a binary file representing an X.509 certificate, or the certificate you are presented in your browser. Opening this file in a text editor will display garbage, due to it being binary and not text, like PEM. Your private key will not be in DER format.
View Public Key
1
| openssl x509 -inform der -in mycert.cer -text -noout
|
Convert to PEM (*.pem \ *.crt \ *.cer)
1
| openssl x509 -inform der -in mycert.cer -outform pem -out mycert.pem
|
Convert to PKCS12 (*.pfx)
1
2
3
| # If encrypted, you will be prompted for the private key password
# You will be prompted to provide a password for the PFX file
openssl x509 -inform der -in mycert.cer | openssl pkcs12 -export -inkey mypriv.key -out mycert.pfx
|
PKCS7 Format (*.p7b)
The PKCS7 format is a base64 encoded file format typically containing a certificate revocation list and a certificate chain. The PKCS7 file does not contain a private key.
View Public Key
1
| openssl pkcs7 -in mycert.p7b -print_certs -text -noout
|
Convert to PEM (*.pem \ *.crt \ *.cer)
1
| openssl pkcs7 -in mycert.p7b -print_certs -out mycert.pem
|
PKCS12 Format (*.pfx)
Can either have a PFX or P12 file extension. These formats are not the same. The PFX format is a binary file, while the P12 format is simply a base64 encoded version of the PFX file. Converting between these two is noted below. The PKCS12 file does contain a private key.
View Public Key
1
| openssl pkcs12 -in mycert.pfx -nokeys | openssl x509 -text -noout
|
View Private Key
1
2
| # You will be prompted for the PFX file password
openssl pkcs12 -in mycert.pfx -nocerts -nodes | openssl pkey -text -noout
|
Convert to DER (*.cer \ *.der)
1
2
3
4
5
| # Output public key to mycert.cer
openssl pkcs12 -in mycert.pfx -nokeys | openssl x509 -outform der -out mycert.cer
# Output Private key to mypriv.key
# You will be prompted to provide a private key password
openssl pkcs12 -in mycert.pfx -nocerts -out mypriv.key
|
Convert to PEM (*.pem \ *.crt \ *.cer \ *.key)
1
2
3
4
5
| # Output public key to mycert.pem
openssl pkcs12 -in mycert.pfx -nokeys -out mycert.pem
# Output Private key to mypriv.key
# You will be prompted to provide a private key password
openssl pkcs12 -in mycert.pfx -nocerts -aes256 -out mypriv.key
|
Convert to (*.p12)
1
| openssl base64 -in mycert.pfx -out mycert.p12
|
Convert from (*.p12)
1
| openssl base64 -d -in mycert.p12 -out mycert.pfx
|