This article has not been completed yet. However, it may already contain helpful information and therefore it has been published at this stage.


PEM ("Privacy Enhanced Mail") is the common format for X.509 certificates, CSRs ("Certificate Signing Request"), and cryptographic keys. A PEM file is a text file containing one or more items in Base64 ASCII encoding, each with plain-text headers and footers (e.g. -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----). A single PEM file could contain an end-entity certificate, a private key, or multiple certificates forming a complete chain of trust.

PEM Filename Extensions

PEM files are usually seen with the extensions .crt, .pem, .cer, and .key (for private keys)

# You can read the contents of a PEM certificate (<file>.cer) using the 
# 'openssl' command on Linux or Windows as follows:
openssl x509 -in <file>.cer -text


DER ("Distinguished Encoding Rules") is a binary encoding for X.509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE-----. DER files are most commonly seen in Java contexts.

DER Filename Extensions

DER-encoded files are usually found with the extensions .der and .cer.

# You can't read the contents of a DER certificate (<file>.der) in the 
# way as descriped for the PEM certificat. You will get an error if you do so:
openssl x509 -in <file>.cer -text
# You have to use the following 'openssl' command:
openssl x509 -inform der -in <file>.der -text -noout


PKCS#7 (also known as P7B) is a container format for digital certificates that is most  found in Windows and Java server contexts, and usually has the extension .p7b. PKCS#7 files are not used to store private keys. In the example below, you can see that the PB7- file contains 3 certificates (in this case a complete chain - the server - , intermediate - and root - certificate).

# You can read the contents of a PB7 File (<file>.pb7) using the 
# 'openssl' command on Linux or Windows as follows:
openssl pkcs7 -print_certs -in <file>.p7b


PKCS#12 (also known as PKCS12 or PFX) is a common binary format for storing a certificate chain and private key in a single, encryptable file, and usually have the filename extensions .p12 or .pfx.

# You can read the contents of a PFX File (<file>.pfx) using the 
# 'openssl' command on Linux or Windows as follows:
openssl pkcs12 -info -in <file>.pfx

Certificate conversion

# Conversion of PKCS#12 ( .pfx .p12, typically used on Microsoft Windows) 
# files with private key and certificate to PEM (typically used on Linux):

openssl pkcs12 -nodes -in <file>.pfx -out <file>.crt
# PKCS#12 Key Extraction 

openssl pkcs12 -in <file>.pfx -out <file>.key -nodes -nocerts
# Conversion of PEM to PKCS#12:

openssl pkcs12 -export -in <file>.crt -inkey <file>.key -out <file>.pfx
# Conversion of PKCS#7 format ( .p7b .p7c ) to PEM:

openssl pkcs7 -print_certs -in <file>.p7b -out <file>.cer
# Conversion of PEM format to PKCS#7:

openssl crl2pkcs7 -nocrl -certfile <file>.crt -out <file>.p7b
# Conversion of DER (.crt .cer or .der) to PEM:

openssl x509 -inform der -in <file>.der -out <file>.pem
# Conversion from PEM to DER format:

openssl x509 -outform der -in certificate.pem -out certificate.cer


Airheads Community
Product and Software: This article applies to all Aruba controllers and Aruba OS 3.1.1 and later. Question I have a certificate to upload to the Aruba
Frank’s Microsoft Exchange FAQ
PEM, DER, CRT, and CER: X.509 Encodings and Conversions
What Is an X.509 Certificate?
Cloud servers & Hosting Solutions for Enterprises, Small Business and Developers | Kinamo
How to use OpenSSL? OpenSSL is the true Swiss Army knife of certificate management, and just like with the real...