Converting Certificates - OpenSSL

Converting Certificates - OpenSSL

Converting Certificates From One Format to Another

There are several different file formats that can be used to hold certificates and their private keys each with their own benefits. Applications often use different file formats which means that from time to time you may need to convert your certificates from one format to another. To understand how to convert one certificate from one format to another it’s useful to understand how to identify the formats:

  • Privacy Enhanced Mail (PEM) – This is one of the most common formats you will see, its easily identifiable because it always starts and ends with “PEM Armor”, this is a header and a footer that declares what is in-between them. For example:

    -----END CERTIFICATE-----
    -----BEGIN PRIVATE KEY-----
    -----END PRIVATE KEY-----
    -----BEGIN PKCS7-----
    -----END PKCS7-----

  • PKCS #7 B (P7B) – This format is the "Cryptographic Message Syntax Standard". It generally contains a full certificate chain including the root, intermediate, and end-entity certificate. This is the format that is generally appended to digital signatures. 
  • PKCS #12/PFX/P12 – This format is the "Personal Information Exchange Syntax Standard". A .pfx will hold a private key and its corresponding public key. It may also include intermediate and root certificates. Pfx/p12 files are password protected. These can be readily imported for use by many browsers and servers including OS X Keychain, IIS, Apache Tomcat, and more.
  • Base64 – This is the standardized encoding for .pem files, though other file extensions such as .cer and .crt may also use Base64 encoding. 
  • DER – Distinguished Encoding Rules; this is a binary format commonly used in X.509 certificates. 

​While all of this can be a little confusing, thankfully OpenSSL can help you go from one format to another fairly easily. GNU/Linux platforms are generally pre-installed with OpenSSL. Mac OS X also ships with OpenSSL pre-installed. For Windows a Win32 OpenSSL installer is available.

Remember, it’s important you keep your Private Key secured; be sure to limit who and what has access to these keys.


  • Converting PEM encoded certificate to DER
    openssl x509 -outform der -in certificate.pem -out certificate.der

  • Converting DER encoded certificate to PEM
    openssl x509 -inform der -in certificate.cer -out certificate.pem

  • Converting PEM encoded certificates to PKCS7 (P7B)
    openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cer

  • Converting PKCS #7 (P7B) to PEM encoded certificates
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

Certificates and Keys

  • Converting PEM encoded Certificate and private key to PKCS #12 / PFX
    openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crt

  • Converting PKCS #7 (P7B) and private key to PKCS #12 / PFX
    openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
    openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cer

  • Converting PKCS #12 / PFX to PKCS #7 (P7B) and private key
    openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

Related Articles

GlobalSign System Alerts

View recent system alerts.

View Alerts

Certificate Inventory Tool

Scan your endpoints to locate all of your Certificates.

Log In / Sign Up

SSL Configuration Test

Check your certificate installation for SSL issues and vulnerabilities.