How to Convert CRT to PEM, DER to PEM, and CER to PFX

Converting SSL certificate formats is a task every server administrator encounters. The convert CRT to PEM, convert DER to PEM, and convert CER to PFX operations each use a single OpenSSL command, but which command you need depends on your source encoding and target platform. This guide covers all three conversions with exact commands, verification steps, and error fixes - so your certificate installs correctly the first time.

PEM (Privacy Enhanced Mail) stores certificate data as Base64 ASCII text between -----BEGIN CERTIFICATE----- markers. DER (Distinguished Encoding Rules) stores the same data in binary format. PFX/PKCS#12 bundles a certificate, its private key, and any intermediate certificates into one password-protected binary file. CRT and CER are container extensions that can hold either PEM or DER encoded data - the extension alone does not tell you the encoding.

What Is the Difference Between CRT, PEM, DER, CER, and PFX Certificate Formats?

The CRT vs PEM vs DER difference comes down to encoding, not certificate content. PEM is Base64 ASCII text - open it in any text editor and you'll see readable headers. DER is binary - the same X.509 certificate data stored in a compact, non-human-readable format. CRT and CER are file extensions, not encodings; either can contain PEM or DER data.

According to SSL.com's X.509 encodings and conversions guide, PEM is the most common format that Certificate Authorities issue certificates in, making it the default starting point for most server deployments.

Common Format Characteristics:

The certificate format for Apache Nginx is PEM - separate .crt and .key files. Windows IIS and Exchange require PFX because the Windows Certificate Store expects a single, password-protected bundle containing both the certificate and private key.

How Do You Convert CRT to PEM Format?

To convert CRT to PEM, first determine whether your .crt file is already PEM-encoded or uses DER binary encoding. Open the file in a text editor. If you see -----BEGIN CERTIFICATE----- followed by readable ASCII text, the file is already PEM - rename it or use it directly.

How to check if CRT is PEM or DER encoded: if the file shows binary characters or is unreadable in a text editor, it uses DER encoding and requires conversion.

For DER-encoded CRT files:

openssl x509 -inform DER -in certificate.crt -out certificate.pem

The -inform DER flag tells OpenSSL the input is binary-encoded. The output file certificate.pem will contain the certificate in Base64 ASCII format with BEGIN/END markers.

For an already PEM-encoded .crt file:

cp certificate.crt certificate.pem

Most servers that accept .pem also accept .crt directly - the extension does not affect how the certificate is read, only the encoding matters.

How Do You Convert DER to PEM Format?

DER to PEM certificate Linux conversion uses OpenSSL's x509 utility to change binary encoding to Base64 text. The convert DER to PEM openssl command is:

openssl x509 -inform DER -in certificate.der -out certificate.pem

After running this command, open certificate.pem in a text editor. The file should start with -----BEGIN CERTIFICATE----- and display clean ASCII text. If it shows binary content, re-check that the source file is actually DER-encoded.

For private keys stored in DER format, use the rsa utility instead:

openssl rsa -inform DER -in privatekey.der -out privatekey.pem

The x509 command handles certificate files only. The rsa command handles key files. Using x509 on a key file - or rsa on a certificate file - will produce an error, not a converted file.

How Do You Convert CER to PFX Format?

CER to PFX with private key conversion requires three inputs: the certificate file, its matching private key, and optionally the CA intermediate certificates. The openssl pkcs12 export command bundles all of these into a single encrypted archive.

Basic conversion with certificate and private key:

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.cer

You'll be prompted to set a password. This password protects the private key inside the PFX file - anyone who obtains the file and cracks the password has your private key.

Including intermediate certificates (required for most production deployments):

openssl pkcs12 -export -out certificate.pfx -inkey privatekey.key -in certificate.cer -certfile intermediate.cer

The -certfile flag adds the CA intermediate chain. Browsers and servers verify the full certificate chain; a PFX file without intermediates will cause trust errors on some clients.

OpenSSL 3.x users: the default encryption changed to AES-256-CBC with PBKDF2 key derivation. According to the OpenSSL 3.0 migration guide, older systems including some Windows Server versions may not support this newer standard. If you encounter "invalid password" errors importing the PFX into an older system, add the -legacy flag:

openssl pkcs12 -export -legacy -out certificate.pfx -inkey privatekey.key -in certificate.cer

Use -legacy only when compatibility with older systems requires it. For all modern deployments, omit it.

What Tools Can Perform Certificate Format Conversions?

Converting certificate format without openssl is possible through several alternatives, but OpenSSL remains the standard for production use. The DigiCert OpenSSL Quick Reference Guide covers the complete command set for all major format operations.

The openssl certificate format conversion commands work across Windows, Linux, and macOS. OpenSSL ships pre-installed on most Linux distributions and macOS. Windows users can install it via package managers like Chocolatey (choco install openssl) or Winget (winget install OpenSSL).

GUI alternatives for non-technical users:

Never upload production private keys to online conversion services. The private key is the most sensitive part of your certificate infrastructure - exposing it to any third-party service compromises your entire HTTPS security.

Why Do Different Systems Require Different Certificate Formats?

Why does IIS require PFX? Because IIS uses the Windows Certificate Store, which expects a single encrypted container holding both the certificate and private key together. Apache and Nginx evolved in Unix environments where text-based configuration files were standard - PEM's ASCII format fits naturally into that ecosystem.

Certificate format for Apache Nginx means separate PEM files: the certificate in one file, the private key in another, the CA bundle in a third. IIS and Exchange consolidate everything into one PFX with password protection.

Platform format requirements at a glance:

Email encryption (S/MIME) and code signing both use PFX because these applications need portable certificate bundles that travel with the private key - the password protection prevents unauthorized extraction.

How Do You Verify Certificate Conversion Results?

Verify certificate conversion openssl with three checks: inspect the certificate contents, confirm the file encoding, and test that the private key matches the certificate.

Check PEM certificate contents:

openssl x509 -in certificate.pem -text -noout

This displays the issuer, subject, validity dates, and public key information. Compare these values against your original certificate before deploying.

Verify PFX file contents:

openssl pkcs12 -in certificate.pfx -info -noout

Enter the PFX password when prompted. The output lists all included certificates and keys.

Test that the private key matches the certificate (both commands should return identical MD5 hashes):

openssl x509 -noout -modulus -in certificate.pem | openssl md5
openssl rsa -noout -modulus -in privatekey.pem | openssl md5

Matching hashes confirm the certificate and private key are a valid pair. A mismatch means you have the wrong key file - deploying a mismatched pair will cause an SSL handshake failure.

Validation checklist before deployment:

What Are Common Certificate Conversion Errors?

OpenSSL unable to load certificate error is the most frequent conversion failure. It almost always means the wrong -inform flag was specified, or no flag was specified for a DER input.

“unable to load certificate”

OpenSSL defaults to PEM input. If your file is DER-encoded and you omit -inform DER, OpenSSL tries to read binary as text and fails:

openssl x509 -inform DER -in cert.der -out cert.pem

“No certificate matches private key”

The certificate and private key were not generated together. Verify you're using the private key that was created with the CSR for this certificate. Run the MD5 modulus check above - if hashes differ, you have the wrong key.

Missing intermediate certificates (the missing intermediate certificate PFX issue)

Browsers display security warnings when the certificate chain is incomplete. Always include intermediates when building PFX files with -certfile. Most CA-issued certificate packages include a separate bundle file for this purpose.

PFX import fails with “invalid password” on Windows

This is the OpenSSL 3.x/AES-256 compatibility issue described above. Use the -legacy flag when creating the PFX, or ensure your Windows Server version supports AES-256-CBC (Windows Server 2019 or newer is required for OpenSSL 3.x defaults without the legacy flag).

Permission denied

OpenSSL needs read access to input files and write access to the output directory. On Linux/macOS, run with sudo if needed, or adjust file permissions with chmod.

Frequently Asked Questions (FAQs)

Is PFX vs PEM - which format is better for my server?

Neither format is universally better - the right choice depends entirely on your server software. PEM is the correct choice for Apache, Nginx, and HAProxy. PFX is required for Windows IIS, Exchange, and other applications that use the Windows Certificate Store. If you're deploying to Linux-based servers, use PEM. If you're deploying to Windows servers, use PFX.

Do I need a private key to convert CER to PFX?

Yes - CER to PFX with private key is the only way to create a valid PFX file. PFX is specifically a private key container; without the key, OpenSSL will produce an error. You must provide the matching private key using the -inkey flag.

Can I convert certificate format without OpenSSL?

Yes. Windows certutil can convert DER to PEM and vice versa. Java keytool handles JKS, PKCS#12, and PEM formats. GUI tools like KeyStore Explorer and XCA provide visual interfaces for conversions. Online converters work for non-sensitive development certificates, but should never be used with production private keys.

Can I convert a PKCS#12 file back to individual PEM or DER formats?

Yes. Use openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes to extract everything into a single PEM file, then manually separate the certificate, key, and intermediates by their BEGIN/END markers. You'll need the PFX password to run this command.

What PFX password best practices should I follow?

Use a password of at least 20 characters combining letters, numbers, and symbols. Store the password in a secrets manager - not in plain text alongside the PFX file. Never create a PFX without a password using the -noenc flag in production environments. If you must transfer a PFX file, use an encrypted channel and share the password separately.

What is the PKCS#7 format and how does it differ from PFX?

PKCS#7 (P7B format) is a certificate container that holds certificates and certificate chains but cannot store private keys. It's commonly used to distribute CA chains and intermediate certificates on Windows and Java platforms. PFX (PKCS#12) is a full private key container. Use PKCS#7 when you only need to share certificates; use PFX when you need to transport both the certificate and private key together.