Certificates and Encodings

At its core an X.509 certificate is a digital document that has been encoded and/or digitally signed according to RFC 5280.

In fact, the term X.509 certificate usually refers to the IETF’s PKIX Certificate and CRL Profile of the X.509 v3 certificate standard, as specified in RFC 5280, commonly referred to as PKIX for Public Key Infrastructure (X.509).

X509 File Extensions

The first thing we have to understand is what each type of file extension is.   There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable.  While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.  Correctly labeled certificates will be much easier to manipulat

Encodings (also used as extensions)

  • .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.   Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
  • .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.

Common Extensions

  • .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.  Most common among *nix systems
  • CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer)  The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
  • .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.

The only time CRT and CER can safely be interchanged is when the encoding type can be identical.  (ie  PEM encoded CRT = PEM encoded CER)

Common OpenSSL Certificate Manipulations

There are four basic types of certificate manipulations. View, Transform, Combination , and Extraction


Even though PEM encoded certificates are ASCII they are not human readable.  Here are some commands that will let you output the contents of a certificate in human readable form;

View PEM encoded certificate

Use the command that has the extension of your certificate replacing cert.xxx with the name of your certificate

If you get the folowing error it means that you are trying to view a DER encoded certifciate and need to use the commands in the “View DER encoded certificate  below”

View DER encoded Certificate

If you get the following error it means that you are trying to view a PEM encoded certificate with a command meant for DER encoded certs. Use a command in the “View PEM encoded certificate above


Transforms can take one type of encoded certificate to another. (ie. PEM To DER conversion)




In some cases it is advantageous to combine multiple pieces of the X.509 infrastructure into a single file.  One common example would be to combine both the private key and public key into the same certificate.

The easiest way to combine certs keys and chains is to convert each to a PEM encoded certificate then simple copy the contents of each file into a new file.   This is suitable for combining files to use in applications lie Apache.


Some certs will come in a combined form.  Where one file can contain any one of: Certificate, Private Key, Public Key, Signed Certificate, Certificate Authority (CA), and/or Authority Chain.

Recommended Posts


  1. This article helped me a lot in tying all of this together

  2. Ridiculously helpful. Thanks so much for taking the time to share this.

    • Glad the article helped out.

  3. This is suitable for combining files to use in applications lie Apache.

    This is suitable for combining files to use in applications LIKE Apache.

    My product has done something funky with their certificate… Colubris Access Point. open SSL can gets no readz!

  4. Very precise, very helpful. Thank you.
    You might want to add a minus before the “in” under “PEM to DER”

    • Thanks for the heads up. I’ve made that correction to PEM to DER command.

  5. Thanks for this. Not to be nitpicking but there are some typo’s in the last sections, ‘simple’ where it should be ‘simply’ and ‘lie’ where it should be ‘like’.

  6. Thanks, Nice article…
    Got clear idea on certificate formats….

  7. Hai..

    Thanks a lot for your clear and easy explanation.. I want to translate this page and write additional notes in my blog.. do you allow me to rewrite your article in Bahasa Indonesia? I will mention your post in my blog 🙂 Thanks a lot

    • Yes, you have my expressed permission to translate this page into any language you wish. I only ask that you link back to me as your reference material.

  8. Hai Mark..

    How to link back your blog? I already add your web in my article.. Thanks a lot 🙂

  9. I have got all required information’s from this document. Thanks a lot for the detail.

  10. […] This command will convert a pfx certificate to a X509 pem encoded certificate. The use of the -nodes flag will give the option to password protect the private key in the new pem encoded certificate. For information on converting pem to der encoded certificates. […]

  11. […] If you want to learn more about certificate extensions please see my other blog post here: der vs crt vs cer vs pem certificates […]

  12. Lot of information I got from this article. I am new to SSL/TLS. This article help me with primer information.

  13. This is such a good clarification for the most part that SSL.com just copied and pasted it as a Knowledgebase article.


    • I noticed that. Thanks for the nod as the original creator of this content! Cheers!

  14. thank you so much, I spend some time struggling with an a wrong syntax about openssl when you gave me the soution to use the DER format.

  15. […] Antwort: Sie können die openssl-Tools verwenden, um den Codierungstyp zu finden und zwischen den Codierungen zu konvertieren. Siehe dieses Tutorial – DER vs. CRT vs. CER vs. PEM-Zertifikate […]

Add a Comment

Your email address will not be published. Required fields are marked *