In the world of internet security, SSL certificates are crucial for ensuring that websites and online services are secure and safe to use. SSL certificates encrypt data and establish secure connections between users and websites, protecting sensitive information like passwords, credit card details, and other personal data. OpenSSL is a widely used open-source tool that provides cryptographic functionality for SSL and TLS protocols. In this blog, we will discuss the OpenSSL SSL certificate converter, a useful tool for converting SSL certificates from one format to another.
SSL certificates can be obtained from certificate authorities (CA) or self-signed using OpenSSL. However, SSL certificates are available in various formats such as CRT, PEM, DER, PFX, PKCS#7, PKCS#12, etc., which can create compatibility issues when using them with different servers and services.
If you want to create self-signed certificate using OpenSSL Click here or want to install latest OpenSSL 3.0 Click here
The OpenSSL convert SSL certificates to key, cer, pem, crt, pfx, der, p7b, p12, p7c, PKCS#12 and PKCS#7 format.
SSL Certificate format and extension:
| SSL certificate format | Extensions | Use |
| PEM | .key, .pem or .crt | Nginx, Apache or HAProxy |
| DER | .der or .cer | Java |
| PKCS#7 | .p7b or .p7c | Windows servers |
| PKCS#12 | .p12 or .pfx | Windows servers, Java |
| PPK | .ppk | ssh |
| JKS | .jks | Windows servers, Java |
- PEM (Privacy Enhanced Mail) Format:
PEM is the most commonly used SSL certificate format and is supported by most web servers and applications. PEM certificates are Base64-encoded ASCII files that contain the certificate, private key, and any intermediate certificates in a single file. - DER (Distinguished Encoding Rules) Format:
DER is a binary format that is used to store SSL certificates. DER certificates have a “.der” or “.cer” file extension. DER certificates are less common than PEM certificates and are not supported by all web servers and applications. - PKCS#7 (Public Key Cryptography Standards #7) Format:
PKCS#7 is a format that is used to store SSL certificates, certificate chains, and any associated private keys. PKCS#7 certificates have a “.p7b” or “.p7c” file extension. PKCS#7 certificates are used by Microsoft Windows and Java Tomcat servers. - PKCS#12 (Public Key Cryptography Standards #12) Format:
PKCS#12 is a format that is used to store SSL certificates, private keys, and any intermediate certificates. PKCS#12 certificates have a “.pfx” or “.p12” file extension. You can rename the extension of .pfx files to .p12 and vice versa. PKCS#12 certificates are commonly used in Microsoft Windows environments. - PPK (PuTTY Private Key) Format:
PPK is a private key file created by the putty key generator software used for ssh. - JKS (Java Keystore) Format:
JKS is encrypted with a password used in a Java program. Similar to the .p12 file, but .jks is considered proprietary.
OpenSSL Commands to Convert SSL Certificates
Use the following OpenSSL commands to convert SSL certificate to different formats on your own machine:
Merge SSL Certificate bundle
If we have a certificate bundle then we can combine them into one single certificate which contain domain certificate, intermediate certificate and root CA certificate.
# cat domain.name.crt intermediate.crt rootca.crt > domain.crt
For eg:
# cat DomainValidationSecureServerCA.crt AddTrustCA.crt AddTrustExternalCARoot.crt > domain.crtThe result should look like this:
—–BEGIN CERTIFICATE—–
(Primary SSL certificate: domain_name.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Intermediate certificate: CertCA.crt)
—–END CERTIFICATE—–
—–BEGIN CERTIFICATE—–
(Root certificate: TrustedRoot.crt)
—–END CERTIFICATE—–
Use this combined domain.crt and privatekey.key to convert certificate into different formats
1. Convert CRT Certificates
Convert CRT to PEM format:
If the certificate and key is in text format, not in binary format then certificate and key is already in PEM format. We can read the contents of a certificate using
# openssl x509 -in domain.crt -textThen just change the extension to .pem
# mv domain.crt domain.pem
# mv privatekey.key privatekey.pemOr we can combine .crt and .key to create single .pem format.
# cat privatekey.key domain.crt > domain.pemIf the certificate is not open in text file then the certificate and key content is binary, To find out the format use
# openssl x509 -in domain.crt -inform DER -textFor binary format CRT and KEY use
# openssl x509 -in domain.crt -inform der -out domain.pem -outform pem
# openssl rsa -in privatekey.key -out privatekey.pem -outform pemConvert CRT to PFX format:
PFX file is a way of storing private keys, and certificates in a single encrypted file. It will ask for to set password for certificate.
# openssl pkcs12 -export -out domain.pfx -inkey privatekey.key -in domain.crtNote: We can rename the extension of .pfx to .p12 and vice versa.
Convert CRT to CER format:
To convert a CRT to a CER, we can use
# openssl x509 -in domain.crt -outform DER -out domain.cerConvert CRT to DER format:
To convert a CRT to a DER, we can use
# openssl x509 -in domain.crt -outform DER -out domain.derConvert CRT to PKCS#7
To convert CRT to PKCS#7, we can use
# openssl crl2pkcs7 -nocrl -certfile domain.crt -out domain.p7bConvert CRT to PKCS#12 format:
PKCS#12 file is a way of storing private keys, and certificates in a single encrypted file. It will ask for to set password for certificate.
# openssl pkcs12 -export -out domain.p12 -inkey privatekey.key -in domain.crtNote: We can rename the extension of .pfx to .p12 and vice versa.
2. Convert PEM Certificates
Convert PEM to CRT and KEY format:
If we can read PEM certificate in a text editor then certificate uses base64, not in binary format so certificate is already in CRT format. Just change the extension to .crt and .key
# mv domain.pem domain.crt
# mv privatekey.pem privatekey.keyIf the .pem file is in binary:
# openssl x509 -inform der -in domain.pem -out domain.crt -outform pem
# openssl rsa -in privatekey.pem -out privatekey.keyConvert PEM to PFX format:
Note: It will ask for to set password of private key and then set a password for .pfx certificate.
# openssl pkcs12 -export -out domain.pfx -in domain.pem -inkey privatekey.pemTo convert .pem to .pfx without private key:
# openssl pkcs12 -export -out domain.pfx -nokeys -in domain.pemConvert PEM to PKCS#7 format:
# openssl crl2pkcs7 -nocrl -certfile domain.pem -out domain.p7bConvert PEM to PKCS#12 format:
Note: It will ask for to set password of private key and then set a password for .p12 certificate.
# openssl pkcs12 -export -out domain.p12 -in domain.pem -inkey privatekey.pemTo convert .pem to .p12 without private key:
# openssl pkcs12 -export -out domain.p12 -nokeys -in domain.pemNote: We can rename the extension of .pfx to .p12 and vice versa.
Convert PEM to DER format:
# openssl x509 -inform pem -in domain.pem -outform der -out domain.derConvert PEM to CER format:
# openssl x509 -inform pem -in domain.pem -out domain.cer -outform der3. Convert CER Certificates
Convert CER to CRT
# openssl x509 -inform der -in domain.cer -out domain.crt -outform pemConvert CER to PEM
# openssl x509 -inform der -in domain.cer -out domain.pem -outform pemNote: We can rename the extension of .crt to .pem and vice versa.
Convert CER to DER
# openssl x509 -inform der -in domain.cer -out doamin.derConvert CER to PKCS#7
# openssl crl2pkcs7 -nocrl -certfile domain.cer -out domain.p7bConvert CER to PKCS#12
Note: It will ask for password of private key and then set a password for .p12 certificate.
# openssl pkcs12 -export -out domain.p12 -in domain.cer -inkey privatekey.keyConvert CER to PFX
Note: It will ask for password of private key and then set a password for .pfx certificate.
# openssl pkcs12 -export -out domain.pfx -in domain.cer -inkey privatekey.keyNote: We can rename the extension of .pfx to .p12 and vice versa.
4. Convert DER Certificates
Convert DER to CRT
# openssl x509 -inform der -in domain.der -out domain.crt -outform pemConvert DER to PEM
# openssl x509 -inform der -in domain.der -out domain.pem -outform pemNote: We can rename the extension of .crt to .pem and vice versa.
Convert DER to CER
# openssl x509 -inform der -in domain.der -out doamin.cerConvert DER to PKCS#7
# openssl crl2pkcs7 -nocrl -certfile domain.der -out domain.p7bConvert DER to PKCS#12
Note: It will ask for password of private key and then set a password for .p12 certificate.
# openssl pkcs12 -export -out domain.p12 -in domain.der -inkey privatekey.keyConvert DER to PFX
Note: It will ask for password of private key and then set a password for .pfx certificate.
# openssl pkcs12 -export -out domain.pfx -in domain.der -inkey privatekey.keyNote: We can rename the extension of .pfx to .p12 and vice versa.
5. Convert PKCS#7 Certificates
Convert PKCS#7 to CRT
# openssl pkcs7 -print_certs -in domain.p7b -out domain.crtConvert PKCS#7 to PEM
# openssl pkcs7 -print_certs -in domain.p7b -out domain.pemNote: We can rename the extension of .crt to .pem and vice versa.
Convert PKCS#7 to CER
# openssl x509 -inform der -in domain.der -out doamin.cerConvert PKCS#7 to DER
# openssl pkcs7 -print_certs -in domain.p7b -out domain.derConvert PKCS#7 to PKCS#12
Note: It will ask for password of private key and then set a password for .p12 certificate.
# openssl pkcs7 -print_certs -in domain.p7b -out domain.crt
# openssl pkcs12 -export -out domain.p12 -in domain.crt -inkey privatekey.keyConvert PKCS#7 to PFX
Note: It will ask for password of private key and then set a password for .pfx certificate.
# openssl pkcs7 -print_certs -in domain.p7b -out domain.crt
# openssl pkcs12 -export -out domain.pfx -in domain.crt -inkey privatekey.keyNote: We can rename the extension of .pfx to .p12 and vice versa.
6. Convert PKCS#12 Certificates
Convert PKCS#12 to CRT
# openssl pkcs12 -in domain.p12 -out domain.crt -clcerts -nokeys
# openssl pkcs12 -in domain.p12 -out privatekey.key -nocerts -nodesConvert PKCS#12 to PEM
# openssl pkcs12 -in domain.p12 -out domain.pem -clcerts -nokeys
# openssl pkcs12 -in domain.p12 -out privatekey.pem -nocerts -nodesNote: We can rename the extension of .crt to .pem and vice versa.
Convert PKCS#12 to CER
# openssl pkcs12 -in domain.p12 -out domain.cer -nodesConvert PKCS#12 to PKCS#7
# openssl pkcs12 -in domain.p12 -out domain.crt -clcerts -nokeys
# openssl crl2pkcs7 -nocrl -certfile domain.crt -out domain.p7bConvert PKCS#12 to PFX
# mv domain.p12 domain.pfx7. Convert PFX Certificates
Convert PFX to CRT
# openssl pkcs12 -in domain.pfx -out domain.crt -clcerts -nokeys
# openssl pkcs12 -in domain.pfx -out privatekey.key -nocerts -nodesConvert PFX to PEM
# openssl pkcs12 -in domain.pfx -out domain.pem -clcerts -nokeys
# openssl pkcs12 -in domain.pfx -out privatekey.pem -nocerts -nodesNote: We can rename the extension of .crt to .pem and vice versa.
Convert PFX to CER
# openssl pkcs12 -in domain.pfx -out domain.cer -nodesConvert PFX to PKCS#7
# openssl pkcs12 -in domain.pfx -out domain.crt -clcerts -nokeys
# openssl crl2pkcs7 -nocrl -certfile domain.crt -out domain.p7bConvert PFX to PKCS#12
# mv domain.pfx domain.p12Conclusion
SSL certificates are essential for securing online transactions and protecting sensitive data. The OpenSSL is a handy tool that can convert SSL certificates from one format to another, making it easier to use them with different servers and services.