howtouselinux

Convert SSL certificate from CRT to PEM

Table of Contents

There are two major encoding schemes for X.509 certificates and keys: PEM (Base64 ASCII), and DER (binary).

  • DER (Distinguished Encoding Rules) is a data object encoding schema that can be used to encode certificate objects into binary files.
  • PEM (Privacy Enhanced Mail) is an encrypted email encoding schema that can be borrowed to encode certificate DER files into text files.

We can’t always tell what kind of file we are working with just from looking at the filename; we may need to open it in a text editor and take a look for ourselves.

Understanding SSL certificate PEM format

PEM (originally “Privacy Enhanced Mail”) is the most common format for X.509 certificates, CSRs, and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–).

PEM files are simple text files that contain all of the information about an SSL certificate. They’re easy to understand and use, making them a great option for anyone who wants to secure their website or email communications.

Example of PEM file

Here is an example of PEM format certificate.

# more certificate.pem

—–BEGIN CERTIFICATE—–

MIIDZTCCAk2gAwIBAgIUYWbWmYiNaGtLhEIhAcBtWOBQAwQjELM
KtsNSEGDFdAFK7xh/L91l5eHSDSL0OApegcu2AhfUgSOnUBtUxa41yA
deh1GDjgei5H7CKZwIruvN6rYWdfqpnaynAXS+AjRL145FwovHbJjjr/
ewRvyGJyUkJO

—–END CERTIFICATE—–

Understanding SSL certificate DER format

DER (Distinguished Encoding Rules) is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as —–BEGIN CERTIFICATE—–. DER files are most commonly seen in Java contexts.

Those certificate DER files are binary files, which can not be viewed with text editors. But they can be processed by application without any problems. DER-encoded certificate files are supported by almost all applications.

Check SSL Certificate with OpenSSL

Difference between PEM and DER

If the certificate is in text format, then it is in PEM format. We can read the contents of a PEM certificate (cert.crt) using the ‘openssl’ command on Linux or Windows as follows:

openssl x509 -in cert.crt -text

If the file content is binary, the certificate could be DER. To find out the format, run the following ‘openssl’ commands to open the certificate:

openssl x509 -in cert.crt -inform DER -text

Understanding SSL certificate CRT file

A file with .crt extension is a security certificate file that is used by secure websites to establish secure connections from web server to a browser. If we open a secure website, we see a “lock” icon in the address bar. If we click on it, we can view the details of the installed certificate.

Convert SSL CRT certificate to PEM

If our CRT certificate is in PEM format, we can use cp cert.crt cert.pem to convert.

or openssl x509 -in cert.crt -out cert.pem

If our CRT certificate is in DER format, we need to use the following command to convert to pem.

openssl x509 -inform der -in cert.crt -out cert.pem

Understanding X509 Certificate with Openssl Command

David Cao
David Cao

Hey there! I am David, a Cloud & DevOps Enthusiast and 18 years of experience as a Linux engineer. I work with AWS, Git & GitHub, Linux, Python, Ansible, and Bash. I am a technical blogger and a Software Engineer, enjoy sharing my learning and contributing to open-source.