There are two major encoding schemes for X.509 certificates and keys: PEM (Base64 ASCII), and DER (binary).
- DER (Distinguished Encoding Rules) is a data object encoding schema that can be used to encode certificate objects into binary files.
- PEM (Privacy Enhanced Mail) is an encrypted email encoding schema that can be borrowed to encode certificate DER files into text files.
We can’t always tell what kind of file we are working with just from looking at the filename; we may need to open it in a text editor and take a look for ourselves.
PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys.
A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–).
Example of PEM
Here is an example of PEM format certificate.
# more certificate.pem
DER (Distinguished Encoding Rules) is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as —–BEGIN CERTIFICATE—–. DER files are most commonly seen in Java contexts.
Those certificate DER files are binary files, which can not be viewed with text editors. But they can be processed by application without any problems.
DER-encoded certificate files are supported by almost all applications.
Difference between PEM and DER
If the certificate is in text format, then it is in PEM format.
We can read the contents of a PEM certificate (cert.crt) using the ‘openssl’ command on Linux or Windows as follows:
openssl x509 -in cert.crt -text
If the file content is binary, the certificate could be DER. To find out the format, run the following ‘openssl’ commands to open the certificate:
openssl x509 -in cert.crt -inform DER -text
Understanding CRT file
A file with .crt extension is a security certificate file that is used by secure websites to establish secure connections from web server to a browser.
If we open a secure website, we see a “lock” icon in the address bar. If we click on it, we can view the details of the installed certificate.
Convert CRT certificate to PEM
If our crt certificate is in PEM format, we can use cp cert.crt cert.pem to convert.
or openssl x509 -in cert.crt -out cert.pem
If our crt certificate is in der format, we need to use the following command to convert to pem.
openssl x509 -inform der -in cert.crt -out cert.pem