Not all applications accept every SSL certificate format. Like the IIS Server in Windows that only takes Personal Information Exchange (PFX) certificates, or Jenkins requires using Java KeyStore (JKS).
One of the most prolific certificate formats used by popular applications like NGINX is the Privacy-Enhanced Electronic Mail (PEM). But sometimes, your certificate vendor or how you generated the certificate gave you a different format, like a DER-encoded certificate with a CRT or CER extension.
Table of Contents
The CRT, CER, and PEM Certificates
All SSL certificates are technically X509 certificates under the hood. The different certificate formats and filename extensions are enough to be a headscratcher, and rightly so. But let’s try to clear up some confusion about the CRT, CER, and PEM certificates.
- CRT and CER are technically not certificate formats but rather well-known filename extensions associated with two certificate formats — DER-encoded and Base64-encoded.
- PEM uses the same format as the Base64-encoded ASCII text. But it can contain the entire certificate chain (Root, CA, Certificate), the Root and CA chain, or the certificate itself.
- Base64 CRT and CER files cannot be converted to PEM because they are already the same format.
- Only DER-encoded CRT and CER certificates can be converted from binary to Base64 ASCII certificate format.
Base64-Encoded CRT or CER
A Base64-encoded certificate is a plain-text (ASCII) format you can view in any text editor. It appears as the following.
DER-Encoded CRT or CER
On the other hand, the DER-encoded CRT or CER file is in binary format. It cannot be viewed as a text file. You’ll see garbled characters that don’t make sense if you do.
PEM Certificate Format
The PEM certificate is strictly a Base64-encoded ASCII file that’s the same as the Base64-encoded CER or CRT certificate. The difference is the PEM certificate can contain the complete chain, the CA chain only, or the certificate only.
Below is an example of a complete chain PEM.
Renaming Base64 CRT to PEM
As previously noted, Base64 CRT and PEM are already the same format, so there’s no conversion required.
In this example, you only need to rename the certificate from CRT or CER to PEM.
Converting Binary CRT to PEM using the Certificate Export Wizard in Windows
You can use the Certificate Export Wizard if you have the DER CRT file or have it in the certificate store.
Locate the CRT file and double-click to open it.
Or locate it from the Certificate Manager and double-click to open it.
Switch to the Details tab and click Copy to file.
When the Certificate Export Wizard shows up, click Next.
Select Base-64 encoded X.509 (.CER) on the next page and click Next.
Specify the filename to export and click Next. Note that the filename extension is *.cer automatically.
Click Finish to complete the export.
Click OK.
Locate the exported CER file and rename it to change the extension to PEM. Click Yes when prompted.
Converting Binary CRT to PEM using PowerShell
You could also convert the binary CRT file to PEM format in PowerShell, whether from the certificate store or a file. For your convenience, we’ve written the PowerShell function below called ConvertTo-PEMCertificate. Copy the code below and paste it to your PowerShell window to import the function.
Function ConvertTo-PEMCertificate {
[CmdletBinding()]
param (
[Parameter(Mandatory)]
[System.Security.Cryptography.X509Certificates.X509Certificate2]
$Certificate,
[Parameter(Mandatory)]
[String]
$PEMFileOut
)
# Convert the certificate bytes to Base64 string
$base64Cert = [System.Convert]::ToBase64String($($Certificate.GetRawCertData()), 'InsertLineBreaks')
# Format as PEM certificate with headers
$pemCert = "-----BEGIN CERTIFICATE-----`r`n$base64Cert`r`n-----END CERTIFICATE-----"
# Write the PEM certificate to a new file with .cer extension
[System.IO.File]::WriteAllText($pemFileOut, $pemCert)
}
Next, import the certificate object into a variable. You can import a certificate file from the certificate store.
# Import from the certificate store
$certificate = Get-Item Cert:\LocalMachine\My\F84FA4E514D62FA89B6D2715EFB3E6CE569DFF4F
# Import from a certificate file
$certificate = [System.Security.Cryptography.X509Certificates.X509Certificate2]::new("webapp.poshlab.xyz-der.crt")
# Convert to PEM
ConvertTo-PEMCertificate -Certificate $certificate -PEMFileOut "webapp.poshlab.xyz-converted.pem"
The certificate has been successfully exported to PEM.
Converting Binary CRT to PEM using OpenSSL
OpenSSL is primarily a Linux tool available out-of-the-box in most distros. There are also ports of OpenSSL for Windows available. The command and syntax are the same when converting a binary CRT file to PEM format, whether you’re using Linux or Windows.
openssl x509 -in <BINARY CRT FILE> -inform DER -out <PEM OUTPUT FILE> -outform PEM
For example, the below command converts the webapp.poshlab.xyz-der.crt certificate to webapp.poshlab.xyz-converted.pem.
openssl x509 -in webapp.poshlab.xyz-der.crt -inform DER -out webapp.poshlab.xyz-converted.pem -outform PEM
This one is run on Ubuntu.
And this one on Windows.
Conclusion
There are many more ways to convert DER-encoded CRT certificates to PEM format, and we cannot cover them all. What we showed you in this post are the most basic and accessible ways to do it.
Different applications and servers require different certificate formats. Many of them require PEM certificate formats, and it’s good to know that there are tools, native and third-party, that can convert them.
