That also means addressing a few of the questions that inevitably arise along the way, such as why shouldn\u2019t I just use a converter tool? And, what is OpenSSL?<\/p>\n
Once we unravel everything it will feel a lot less overwhelming. So if you\u2019re if ready to learn how to convert a certificate to the correct format\u2026<\/p>\n
Let\u2019s hash it out.<\/span><\/p>\n Before we talk about how to convert a certificate to the correct format, let’s start with what that even means. There are dozens of different server-types that are in regular use and unfortunately there is no uniform standard for file type. If this annoys you and you\u2019re American, now you know how the rest of the world feels when it has to convert its metric units to US customary units because we thought it would be far more sporting not to count in units of ten.<\/p>\n<\/span><\/span>\n At any rate, this diversity of server types has led to the use of multiple different file formats for digital certificates. Now, aren\u2019t they all X.509 certificates? – you\u2019re probably asking. Well, yes. And if you wanted us to, we could write an entire article on this topic that discusses Abstract Syntax Notation and byte arrays but I have a feeling that\u2019s going to be a lot more information than you came for. So here\u2019s the abridged version: An X.509 certificate is a type of digital certificate that uses the PKI standard (X.509 v3) to validate that a server is the rightful owner of the associated public key. When you see extensions like: Those refer to how the certificate is encoded and presented. For lack of a more eloquent definition, encoding is basically just coding of data into a format that can be used by another system. Or put more simply, it’s coding data so it can be read and used by a computer. One of the most common encoding standards (that you will need to remember in a couple of paragraphs) is ASCII or the American Standard Code for Information Interchange (a far more ubiquitous standard than our measurement system), which is an encoding scheme used for files that contain text.<\/p>\n Now let\u2019s talk a little bit about encoding styles.<\/p>\n A DER file is an X.509 digital certificate encoded in binary – 1’s and 0’s. Base64 is a binary-to-text encoding scheme, so a PEM file, which is a Base64 encoded DER file, is that same X.509 certificate, but encoded in text, which (remember!) is represented as ASCII.<\/p>\n Now is this starting to make a little more sense?<\/p>\n Ok, let\u2019s keep going.<\/p>\n DER files are rarely used outside of Windows, so we\u2019ll stop with them. But, remember how we said the PEM is a container? That\u2019s because it can contain anything from just the digital certificate itself, to the entire certificate chain and the keypair. Unfortunately, not all browsers will recognize files with the .pem extension as certificates, so a lot of times you\u2019ll see a different extension affixed to the end of the a PEM file (and also DER files):<\/p>\n So when talking about how to convert a certificate to the correct format, you could be talking about how it’s encoded or how it’s presented. Now, there are a few other ways to present a certificate beyond PEM and DER. PKCS or Public Key Cryptography Standards, generally you see PKCS 7, PKCS8 and PKCS12. Let\u2019s start with PKCS7, which was originally defined by the company RSA before being turned over to IETF. It is a multi-purpose format for encrypted and signed data to be disseminated. It eventually evolved into Cryptographic Message Syntax, CMS, but just like with SSL and TLS, PKCS7 is the colloquial name we all still use. It\u2019s an open standard, it\u2019s supported by Windows. One thing to note though is that it cannot contain a private key. PKCS7 gets used a lot of with email certificates and forms the basis for S\/MIME secure email.<\/p>\n PKCS8 is a similar standard used for carrying private keys. And finally, we have PKCS12, which provides better security via encryption. Much like a PEM file it can contain anything from the single certificate to the entire certificate chain and key pair, but unlike PEM it\u2019s a fully encrypted password-guarded container. If, during the generation of an SSL certificate you\u2019re prompted for a password, it can be used to open the certificate if it\u2019s in the PKCS12 format.<\/p>\n Absolutely. It would also be a lot riskier. While generally, we\u2019d like to think you could trust all of the websites that host this kind of tool, uploading your digital certificate anywhere but your own server is generally ill-advised. And by that I mean, don\u2019t use an online tool to convert your digital certificates to different file formats. Do it on your server using OpenSSL commands.<\/p>\n Which leads us to the next inevitable question\u2026<\/p>\n Now apply that concept to SSL. OpenSSL is a software library that enables the SSL\/TLS protocol on pretty much every server under the sun. Yes, it\u2019s that ubiquitous. So, while there may not be a universal file format for X.509 certificates, there is at least a universal language for manipulating them on servers. OpenSSL is written in the C programming language, which makes it extremely accessible to anyone with even a rudimentary knowledge of programming.<\/p>\n So, now let\u2019s go over how to convert a certificate to the correct format.<\/p>\n Converting X.509 to PEM \u2013 This is a decision on how you want to encode the certificate (don\u2019t pick DER unless you have a specific reason to).<\/p>\n Converting DER to PEM \u2013 Binary encoding to ASCII<\/p>\n Converting PEM to DER \u2013 ASCII to Binary<\/p>\n Converting PEM to PKCS7 \u2013 PKCS7 files can only contain certificates and certificate chains, never private keys.<\/p>\n Converting PKCS7 to PEM \u2013 Remember, this file will not include the keypair.<\/p>\n Converting PKCS12 \u00a0to PEM \u2013 Also called PFX, PKCS12 containers can include certificate, certificate chain and private key. They are password protected and encrypted.<\/p>\n openssl pkcs12 -in certificatename.pfx -out certificatename.pem<\/p>\n Converting PKCS12 to PKCS8 \u2013 PKCS8 is similar to PKCS7, only it\u2019s intended for private key storage and can be encrypted with a password.<\/p>\n This takes two steps:<\/p>\n Converting PKCS7 to PKCS12 \u2013 This requires two steps as you\u2019ll need to combine the private key with the certificate file.<\/p>\n Instructions on how to convert digital certificates from one file format to another We\u2019re going to get a little bit technical today and talk about how to convert a certificate…<\/p>\n","protected":false},"author":6,"featured_media":7745,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":"","tve_updated_post":"","tve_custom_css":"","tve_user_custom_css":"","tve_globals":{},"tcb2_ready":0,"tcb_editor_enabled":0,"tve_landing_page":"","_tve_header":"","_tve_footer":""},"categories":[130],"tags":[9057],"class_list":["post-7744","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-everything-encryption","tag-digital-certificates","post-with-tags"],"views":122996,"jetpack_featured_media_url":"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/bigstock-Cloud-Computing-Data-Or-Crypt-248166637.jpg","_links":{"self":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7744","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/comments?post=7744"}],"version-history":[{"count":0,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/posts\/7744\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media\/7745"}],"wp:attachment":[{"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/media?parent=7744"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/categories?post=7744"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.thesslstore.com\/blog\/wp-json\/wp\/v2\/tags?post=7744"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Why would I need know how to convert a certificate to the correct format?<\/h2>\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/bigstock-182428858-e1539888468584-300x300.jpg\")
<\/p>\n\n
\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/bigstock-222671314-300x300.jpg\")
I can see that confused look on your face, so let\u2019s break this down a little further.<\/p>\n\n
Wouldn\u2019t it be easier to do this if I just used a tool?<\/h2>\n
What is OpenSSL?<\/h2>\n
![\"How](\"https:\/\/www.thesslstore.com\/blog\/wp-content\/uploads\/2018\/10\/bigstock-Coding-Desktop-Screen-Vector-I-248939263-300x300.jpg\")
OpenSSL is a software library. A computer doesn\u2019t innately know how to do anything. You have to teach it. A software library is a collection of code, scripts, configurations and procedures that helps facilitate a given function. For instance, if you\u2019re writing a piece of software that\u2019s going to require a lot of mathematical calculations it only makes sense to add a mathematical software library so that you don\u2019t have to write a whole bunch of complex mathematical functions yourself.<\/p>\nHow to convert a certificate to the correct format<\/h2>\n
openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem<\/pre>\n
openssl x509 -inform der -in certificatename.der -out certificatename.pem<\/pre>\n
openssl x509 -outform der -in certificatename.pem -out certificatename.der<\/pre>\n
openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer<\/pre>\n
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem<\/pre>\n
openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem\n\nopenSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8<\/pre>\n
openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer\n\nopenssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile\u00a0 cacert.cer<\/pre>\n","protected":false},"excerpt":{"rendered":"