There are two major encoding schemes for X.509 certificates and keys: PEM (Base64 ASCII), and DER (binary).
- DER (Distinguished Encoding Rules) is a data object encoding schema that can be used to encode certificate objects into binary files.
- PEM (Privacy Enhanced Mail) is an encrypted email encoding schema that can be borrowed to encode certificate DER files into text files.
We can’t always tell what kind of file we are working with just from looking at the filename; we may need to open it in a text editor and take a look for ourselves.
Table of Contents
Understanding SSL certificate PEM format
PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–).
PEM files are simple text files that contain all of the information about an SSL certificate. They’re easy to understand and use, making them a great option for anyone who wants to secure their website or email communications.
Example of PEM file
Here is an example of PEM format certificate.
# more certificate.pem
—–BEGIN CERTIFICATE—–
MIIDZTCCAk2gAwIBAgIUYWbWmYiNaGtLhEIhAcBtWOBQAwQjELM
KtsNSEGDFdAFK7xh/L91l5eHSDSL0OApegcu2AhfUgSOnUBtUxa41yA
deh1GDjgei5H7CKZwIruvN6rYWdfqpnaynAXS+AjRL145FwovHbJjjr/
ewRvyGJyUkJO
—–END CERTIFICATE—–
Understanding SSL certificate DER format
DER (Distinguished Encoding Rules) is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as —–BEGIN CERTIFICATE—–. DER files are most commonly seen in Java contexts.
Those certificate DER files are binary files, which can not be viewed with text editors. But they can be processed by application without any problems. DER-encoded certificate files are supported by almost all applications.
Check SSL Certificate with OpenSSL
Difference between PEM and DER
If the certificate is in text format, then it is in PEM format. We can read the contents of a PEM certificate (cert.crt) using the ‘openssl’ command on Linux or Windows as follows:
openssl x509 -in cert.crt -text
If the file content is binary, the certificate could be DER. To find out the format, run the following ‘openssl’ commands to open the certificate:
openssl x509 -in cert.crt -inform DER -text
Understanding SSL certificate CRT file
A file with .crt extension is a security certificate file that is used by secure websites to establish secure connections from web server to a browser. If we open a secure website, we see a “lock” icon in the address bar. If we click on it, we can view the details of the installed certificate.
Convert SSL CRT certificate to PEM
If our CRT certificate is in PEM format, we can use cp cert.crt cert.pem to convert.
or openssl x509 -in cert.crt -out cert.pem
If our CRT certificate is in DER format, we need to use the following command to convert to pem.
openssl x509 -inform der -in cert.crt -out cert.pem