Convert Formats

All of the certificates that we have been working with have been X.509 certificates that are ASCII PEM encoded.

OpenSSL can be used to convert certificates to and from a large variety of these formats. This section will cover a some of the possible conversions.

Convert PEM to DER

Use this command if you want to convert a PEM-encoded certificate (domain.crt) to a DER-encoded certificate (domain.der), a binary format:

1
2
3

$ openssl x509 \
       -in domain.crt \
       -outform der -out domain.der

Convert DER to PEM

Use this command if you want to convert a DER-encoded certificate (domain.der) to a PEM-encoded certificate (domain.crt):

1
2
3

$ openssl x509 \
       -inform der -in domain.der \
       -out domain.crt

Convert PEM to PKCS7

Use this command if you want to add PEM certificates (domain.crt and ca-chain.crt) to a PKCS7 file (domain.p7b):

1
2
3
4

$ openssl crl2pkcs7 -nocrl \
       -certfile domain.crt \
       -certfile ca-chain.crt \
       -out domain.p7b

Note that you can use one or more -certfile options to specify which certificates to add to the PKCS7 file.

PKCS7 files, also known as P7B, are typically used in Java Keystores and Microsoft IIS (Windows). They are ASCII files which can contain certificates and CA certificates.

Convert PKCS7 to PEM

Use this command if you want to convert a PKCS7 file (domain.p7b) to a PEM file:

1
2
3

$ openssl pkcs7 \
       -in domain.p7b \
       -print_certs -out domain.crt

Convert PEM to PKCS12

Use this command if you want to take a private key (domain.key) and a certificate (domain.crt), and combine them into a PKCS12 file (domain.pfx):

1
2
3
4

$ openssl pkcs12 \
       -inkey domain.key \
       -in domain.crt \
       -export -out domain.pfx

Convert PKCS12 to PEM

Use this command if you want to convert a PKCS12 file (domain.pfx) and convert it to PEM format (domain.combined.crt):

1
2
3

$ openssl pkcs12 \
       -in domain.pfx \
       -nodes -out domain.combined.crt