.CER and .CRT are both file extensions for X.509 digital certificates used in SSL/TLS encryption. They contain identical certificate data - the difference lies in encoding and platform convention. CER files typically use binary DER encoding and are the standard on Windows systems. CRT files use Base64 PEM encoding (ASCII text) and are the default on Linux and Unix servers running Apache or Nginx. Converting between them is a routine task when deploying certificates across mixed environments, and OpenSSL handles it in a single command.
What Is the Difference Between .CER and .CRT Files?
A .CER file and a .CRT file both store an X.509 digital certificate - the same underlying data structure defined in RFC 5280, the Internet standard for public key infrastructure. The distinction is not about what they contain, but how they encode it and which operating systems prefer them.
CER files use binary DER (Distinguished Encoding Rules) encoding by default, producing a compact binary file that cannot be opened in a text editor. Windows systems - including IIS and the Microsoft Certificate Manager - produce and expect .CER files by default.
CRT files use Base64 PEM (Privacy Enhanced Mail) encoding, wrapping certificate data in human-readable ASCII text between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers. Linux and Unix servers - Apache, Nginx, and most open-source web stacks - use .CRT files.
Neither format is superior. They are two conventions for packaging the same credential, each native to a different ecosystem.
| Feature | .CER File | .CRT File |
| Default Encoding | Binary DER | Base64 PEM (ASCII text) |
| Readable in Text Editor | No (binary) | Yes |
| Native Platform | Windows / IIS | Linux / Unix (Apache, Nginx) |
| Portability | Lower (binary format) | Higher (plain text) |
| Java Compatibility | Yes (DER) | Yes (PEM) |
According to RFC 5280, the IETF certificate standard that governs X.509 certificates, both DER and PEM are valid encodings of the same ASN.1 data structure - the file extension alone does not determine the actual encoding, which is why inspecting file contents before conversion is always recommended.
Why Do You Need to Convert Between CER and CRT?
Format conversion becomes necessary when a certificate issued in one environment needs to be installed in another. The most common scenarios:
- A Windows server exports a certificate as .CER, but the destination is an Apache or Nginx server expecting .CRT (PEM format).
- A Linux environment generates a .CRT file that needs to be imported into Windows Certificate Manager or IIS.
- An email system or Java application requires DER-encoded binary, but the CA delivered a PEM-encoded file.
- A developer needs to inspect certificate contents in a text editor - only possible with PEM/Base64 format.
One critical point: renaming a .CER to .CRT does not convert it. The file extension is just a label. Actual conversion requires re-encoding the certificate data - from binary DER to Base64 text, or vice versa. OpenSSL and Windows certutil both handle this correctly.
For broader certificate format conversions, see the guide on converting CRT to PEM, DER to PEM, and CER to PFX.
How Do You Convert CER to CRT Using OpenSSL?
OpenSSL is the standard tool for certificate conversions on Linux, macOS, and Windows (via WSL or Cygwin). It ships pre-installed on most Linux distributions and macOS systems.
Convert a DER-encoded .CER to PEM-encoded .CRT:
openssl x509 -inform DER -in certificate.cer -out certificate.crt
If your .CER file is already Base64 PEM-encoded (you can confirm by opening it in a text editor and looking for -----BEGIN CERTIFICATE-----), omit the -inform DER flag:
openssl x509 -in certificate.cer -out certificate.crt
Convert a PEM-encoded .CRT to DER-encoded .CER:
openssl x509 -in certificate.crt -outform DER -out certificate.cer
Verify the result after conversion:
openssl x509 -in certificate.crt -text -noout
This prints the certificate details in human-readable form. If the command returns certificate fields (Subject, Issuer, Validity), the conversion succeeded.
How Do You Convert CRT to CER on Windows?
Windows provides two built-in methods: the certutil command-line tool and the Certificate Manager GUI.
Using certutil (Command Prompt)
Run Command Prompt as Administrator, then:
Convert CRT to CER (Base64 to DER):
certutil -encode input.crt output.cer
Convert CER to CRT (DER to Base64):
certutil -decode input.cer output.crt
Using Certificate Manager (GUI)
- Open the certificate file by double-clicking it.
- Go to Details → Copy to File.
- The Export Wizard will open - select your target format: DER encoded binary (.CER) or Base64 encoded (.CRT).
- Save the exported file.
The GUI method is useful when you need to export certificates stored in the Windows certificate store, not just standalone files.
How Do You Convert CER and CRT Files on Linux?
On Linux, OpenSSL handles all conversions. The commands follow the same pattern - specify the input format with -inform and the output format with -outform.
CRT to CER (PEM to DER):
openssl x509 -inform PEM -in input.crt -outform DER -out output.cer
CER to CRT (DER to PEM):
openssl x509 -inform DER -in input.cer -outform PEM -out output.crt
If you are unsure of the input encoding, test it first:
openssl x509 -in yourfile.cer -text -noout
If that command returns readable output, the file is PEM-encoded. If it fails with a parsing error, add -inform DER and retry. This check prevents conversion errors before they cause installation failures.
For additional OpenSSL commands used in certificate management, the common OpenSSL commands reference covers the full toolkit.
When Should You Use .CER vs .CRT?
Platform context determines which extension to use:
- Use .CER when working with Windows environments - IIS, Active Directory Certificate Services, or any Microsoft product. Windows tooling generates and expects .CER by default, usually in DER binary format.
- Use .CRT when configuring Linux or Unix servers - Apache, Nginx, Lighttpd, or any server that reads PEM-encoded certificates. The .CRT extension with Base64 PEM encoding is the default expectation for these environments.
- Use either when the encoding matches what the application requires and you verify it before installation. Apache, for instance, will accept a .CER file if it is actually PEM-encoded - the extension is secondary to the actual encoding format.
When a CA delivers your certificate, always check the file contents before installing. If it opens in a text editor and shows -----BEGIN CERTIFICATE-----, it is PEM. If it appears as binary gibberish, it is DER.
What Are Common CER/CRT Conversion Errors and How Do You Fix Them?
- Wrong input encoding specified: Running openssl x509 -in file.cer on a DER binary file will fail. Always inspect first with openssl x509 -in file -text -noout and add -inform DER if that fails.
- File extension mismatch after conversion: Some systems reject certificates where the extension does not match the encoding. After converting, rename the file extension to match the new format (.cer for DER, .crt for PEM).
- Permission errors on Linux: Certificate directories (e.g., /etc/ssl/) require root privileges. Run conversion commands with sudo or switch to root.
- Corrupted or truncated file: If a certificate was copied via email or a text editor that auto-wrapped lines, the Base64 encoding may be corrupted. Re-download or re-export the certificate from the CA before retrying.
- Expired certificate: OpenSSL will convert an expired certificate without error, but the server will reject it at installation. Verify validity with openssl x509 -in certificate.crt -noout -dates before proceeding.
- Invalid certificate: If the original file is damaged or from an untrusted source, conversion will not produce a usable result. Always start with a valid certificate from your CA.
Frequently Asked Questions (FAQs) About CER and CRT Files
Are .CER and .CRT files the same?
They contain identical certificate data - both store X.509 certificates. The difference is encoding and platform convention. CER files default to binary DER encoding on Windows; CRT files default to Base64 PEM encoding on Linux. The extensions are labels, not format guarantees.
Can you just rename a .CRT file to .CER?
No. Renaming only changes the file extension label - it does not re-encode the data. A Windows system expecting DER binary format will reject a file that is Base64 PEM regardless of its extension. Use OpenSSL or certutil to actually convert the encoding.
What is DER encoding in a certificate file?
DER (Distinguished Encoding Rules) is a binary encoding format for ASN.1 data structures. Certificate files in DER format are more compact than PEM but cannot be read in a text editor. They are common on Windows and Java platforms.
What is the difference between PEM and CER?
PEM is an encoding format (Base64 ASCII with header/footer lines). CER is a file extension. A CER file can be either DER-encoded (binary) or PEM-encoded (Base64). The quickest way to tell: open the file in a text editor. If it shows -----BEGIN CERTIFICATE-----, it is PEM-encoded despite the .CER extension.
How do you convert CER to CRT without OpenSSL?
On Windows, use certutil -decode input.cer output.crt from an elevated Command Prompt. Alternatively, use the Windows Certificate Manager GUI and export via the Export Wizard selecting Base64 encoding. Online converters exist but are not recommended for production certificates due to security risks.
Which format should you use for Apache SSL installation?
Apache expects PEM-encoded certificates, typically with the .CRT extension. If you receive a .CER file from your CA, verify its encoding first. If it is DER binary, convert it with openssl x509 -inform DER -in certificate.cer -out certificate.crt before installation.
Priya Mervana
Verified Web Security Experts
Priya Mervana is working at SSLInsights.com as a web security expert with over 10 years of experience writing about encryption, SSL certificates, and online privacy. She aims to make complex security topics easily understandable for everyday internet users.
