Instructions on how to convert digital certificates from one file format to another
We’re going to get a little bit technical today and talk about how to convert a certificate to the correct format. While we do have a page on our site that talks about converting file formats for SSL certificates, this is a question we get asked a lot and I wanted to take some time and cover it a little more in-depth.
That also means addressing a few of the questions that inevitably arise along the way, such as why shouldn’t I just use a converter tool? And, what is OpenSSL?
Once we unravel everything it will feel a lot less overwhelming. So if you’re if ready to learn how to convert a certificate to the correct format…
Let’s hash it out.
Why would I need know how to convert a certificate to the correct format?
Before we talk about how to convert a certificate to the correct format, let’s start with what that even means. There are dozens of different server-types that are in regular use and unfortunately there is no uniform standard for file type. If this annoys you and you’re American, now you know how the rest of the world feels when it has to convert its metric units to US customary units because we thought it would be far more sporting not to count in units of ten.
At any rate, this diversity of server types has led to the use of multiple different file formats for digital certificates. Now, aren’t they all X.509 certificates? – you’re probably asking. Well, yes. And if you wanted us to, we could write an entire article on this topic that discusses Abstract Syntax Notation and byte arrays but I have a feeling that’s going to be a lot more information than you came for. So here’s the abridged version: An X.509 certificate is a type of digital certificate that uses the PKI standard (X.509 v3) to validate that a server is the rightful owner of the associated public key. When you see extensions like:
Those refer to how the certificate is encoded and presented. For lack of a more eloquent definition, encoding is basically just coding of data into a format that can be used by another system. Or put more simply, it’s coding data so it can be read and used by a computer. One of the most common encoding standards (that you will need to remember in a couple of paragraphs) is ASCII or the American Standard Code for Information Interchange (a far more ubiquitous standard than our measurement system), which is an encoding scheme used for files that contain text.
Now let’s talk a little bit about encoding styles.
- .der – Stands for Distinguished Encoding Rules, a binary encoding format. Windows views these as certificate files and actually exports certificates as .der formatted files but with an extension like .crt or .cer.
- .pem – Stands for Privacy Enhanced Mail, which is amusing considering that PEM basically failed at the function it was designed for, but proved useful as a container format. PEM files are just Base64 encoded DER files.
I can see that confused look on your face, so let’s break this down a little further.
A DER file is an X.509 digital certificate encoded in binary – 1’s and 0’s. Base64 is a binary-to-text encoding scheme, so a PEM file, which is a Base64 encoded DER file, is that same X.509 certificate, but encoded in text, which (remember!) is represented as ASCII.
Now is this starting to make a little more sense?
Ok, let’s keep going.
DER files are rarely used outside of Windows, so we’ll stop with them. But, remember how we said the PEM is a container? That’s because it can contain anything from just the digital certificate itself, to the entire certificate chain and the keypair. Unfortunately, not all browsers will recognize files with the .pem extension as certificates, so a lot of times you’ll see a different extension affixed to the end of the a PEM file (and also DER files):
So when talking about how to convert a certificate to the correct format, you could be talking about how it’s encoded or how it’s presented. Now, there are a few other ways to present a certificate beyond PEM and DER. PKCS or Public Key Cryptography Standards, generally you see PKCS 7, PKCS8 and PKCS12. Let’s start with PKCS7, which was originally defined by the company RSA before being turned over to IETF. It is a multi-purpose format for encrypted and signed data to be disseminated. It eventually evolved into Cryptographic Message Syntax, CMS, but just like with SSL and TLS, PKCS7 is the colloquial name we all still use. It’s an open standard, it’s supported by Windows. One thing to note though is that it cannot contain a private key. PKCS7 gets used a lot of with email certificates and forms the basis for S/MIME secure email.
PKCS8 is a similar standard used for carrying private keys. And finally, we have PKCS12, which provides better security via encryption. Much like a PEM file it can contain anything from the single certificate to the entire certificate chain and key pair, but unlike PEM it’s a fully encrypted password-guarded container. If, during the generation of an SSL certificate you’re prompted for a password, it can be used to open the certificate if it’s in the PKCS12 format.
Wouldn’t it be easier to do this if I just used a tool?
Absolutely. It would also be a lot riskier. While generally, we’d like to think you could trust all of the websites that host this kind of tool, uploading your digital certificate anywhere but your own server is generally ill-advised. And by that I mean, don’t use an online tool to convert your digital certificates to different file formats. Do it on your server using OpenSSL commands.
Which leads us to the next inevitable question…
What is OpenSSL?
OpenSSL is a software library. A computer doesn’t innately know how to do anything. You have to teach it. A software library is a collection of code, scripts, configurations and procedures that helps facilitate a given function. For instance, if you’re writing a piece of software that’s going to require a lot of mathematical calculations it only makes sense to add a mathematical software library so that you don’t have to write a whole bunch of complex mathematical functions yourself.
Now apply that concept to SSL. OpenSSL is a software library that enables the SSL/TLS protocol on pretty much every server under the sun. Yes, it’s that ubiquitous. So, while there may not be a universal file format for X.509 certificates, there is at least a universal language for manipulating them on servers. OpenSSL is written in the C programming language, which makes it extremely accessible to anyone with even a rudimentary knowledge of programming.
So, now let’s go over how to convert a certificate to the correct format.
How to convert a certificate to the correct format
Converting X.509 to PEM – This is a decision on how you want to encode the certificate (don’t pick DER unless you have a specific reason to).
openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem
Converting DER to PEM – Binary encoding to ASCII
openssl x509 -inform der -in certificatename.der -out certificatename.pem
Converting PEM to DER – ASCII to Binary
openssl x509 -outform der -in certificatename.pem -out certificatename.der
Converting PEM to PKCS7 – PKCS7 files can only contain certificates and certificate chains, never private keys.
openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer
Converting PKCS7 to PEM – Remember, this file will not include the keypair.
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem
Converting PKCS12 to PEM – Also called PFX, PKCS12 containers can include certificate, certificate chain and private key. They are password protected and encrypted.
openssl pkcs12 -in certificatename.pfx -out certificatename.pem
Converting PKCS12 to PKCS8 – PKCS8 is similar to PKCS7, only it’s intended for private key storage and can be encrypted with a password.
This takes two steps:
openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8
Converting PKCS7 to PKCS12 – This requires two steps as you’ll need to combine the private key with the certificate file.
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile cacert.cer