Last updated on
Working with SSL certificates often means dealing with different file formats, and sometimes you need them in PEM format. Whether you have CRT, CER, or DER files, figuring out how to handle these conversions might seem overwhelming at first. But don’t worry,we’ve got you covered!
In this guide, you’ll discover how to use OpenSSL to seamlessly convert your SSL certificates to PEM, step by step, whether you’re on Linux or Windows. Let’s simplify the process together!
Table of Contents
- Converting CRT to PEM Using OpenSSL (Linux and Windows)
- How to Convert DER or CER to PEM
- How to Install OpenSSL
Converting CRT to PEM Using OpenSSL (Linux and Windows)
Follow these simple steps to convert a CRT file to a PEM file using OpenSSL. The instructions work for both Linux and Windows, with minor differences in navigating to directories and running commands.
Step 1: Open the Command Line Tool
- On Linux: Open the Terminal by pressing Ctrl + Alt + T or searching for “Terminal” in your applications.
- On Windows: Open Command Prompt or PowerShell by pressing Win + R, typing cmd or powershell, and pressing Enter.
Step 2: Check if OpenSSL is Installed
OpenSSL is the main tool used for the conversion, whether you’re handling certificates or managing your private key securely. Make sure it’s installed on your system by running the following command:
openssl version
If OpenSSL is installed, you’ll see the version number displayed (e.g., OpenSSL 1.1.1).
If it’s not installed, you’ll get an error message like ‘openssl’ is not recognized as an internal or external command. Don’t worry! You can follow our detailed instructions on how to install it.
Step 3: Navigate to the Directory
Use the cd command to go to the folder where your CRT file is located.
On Linux:
cd /path/to/certificate/folder
On Windows:
cd C:\path\to\certificate\folder
Replace /path/to/certificate/folder or C:\path\to\certificate\folder with the actual path.
Step 4: Run the OpenSSL Command
Execute the following command to convert the CRT file to PEM format:
openssl x509 -in certificate.crt -outform PEM -out certificate.pem
Replace certificate.crt with the name of your CRT file.
The resulting file, certificate.pem, will be saved in the same directory, ready for use alongside your private key in SSL configurations.
Step 5: Verify the Output
Locate the certificate.pem file in your directory.
Open the file with a text editor to ensure it starts with:
-----BEGIN CERTIFICATE-----
which is the typical header for PEM certificates.
How to Convert DER or CER to PEM
If you have a DER-encoded or CER certificate in DER format and need to convert it to PEM format, OpenSSL can handle both formats with a similar command. Simply run the appropriate command to convert certificate files depending on your file type:
For DER to PEM
openssl x509 -inform DER -in certificate.der -outform PEM -out certificate.pem
For CER to PEM
openssl x509 -inform DER -in certificate.cer -outform PEM -out certificate.pem
Replace certificate.der or certificate.cer with the name of your file in DER format.
The resulting certificate.pem file will be saved in the same directory.
Check our extensive guide on SSL formats for an even better understanding of how they work.
How to Install OpenSSL
If OpenSSL is not already installed on your system, follow these steps to set it up:
On Linux
Use a package manager to install it:
Ubuntu/Debian:
sudo apt update
sudo apt install openssl
CentOS/Red Hat:
sudo yum install openssl
On Windows
- Download the OpenSSL installer from a trusted source like Shining Light Productions.
- Follow the installation instructions, ensuring you add OpenSSL to your system’s PATH during setup.
Secure Your Website Like a Pro with SSL Dragon!
Converting CRT, DER, PFX format or CER files to PEM format is an essential skill for managing SSL certificates, and OpenSSL makes the process quick and easy.
If you’re looking for a one-stop shop for all your SSL certificate needs, SSL Dragon has you covered. We offer a wide range of SSL products, along with expert guidance to help you secure your website. Visit SSL Dragon today to explore our offerings and simplify your SSL certificate management!
Save 10% on SSL Certificates when ordering from SSL Dragon today!
Fast issuance, strong encryption, 99.99% browser trust, dedicated support, and 25-day money-back guarantee. Coupon code: SAVE10
Experienced content writer specializing in SSL Certificates. Transforming intricate cybersecurity topics into clear, engaging content. Contribute to improving digital security through impactful narratives.
Many Certificate Authorities (CAs) provide certificates in X.509 format (a file with a CER or CRT extension). A certificate of this type is usually provided in the DER-encoding format. However, the majority of services that use SSL Certificates will only accept certificates in PEM format (Base64 encoded). In this post we will cover how to convert a DER-encoded certificate with a CRT or CER extension to PEM format.
What are PEM and DER certificates?
- PEM (Privacy Enhanced Mail) is the most common format for X.509 certificates. PEM files are plain text-based and supported by most web browsers, servers, and apps. It includes the header and footer lines: —–BEGIN CERTIFICATE—– and —–END CERTIFICATE—–.
- DER (.der, .crt) – is a Binary certificate format. It is less common than PEM, but is still used, especially in Java environments.
Renaming Base64 CRT to PEM
Before converting a CER/CRT certificate file to PEM, check if the file already contains a certificate in Base64-encoded format. Open the certificate file in any text editor. If it contains ASCII text that starts and ends with one of the following prompts, it has already been converted to Base64 PEM format:
-----BEGIN CERTIFICATE----- -----END CERTIFICATE----- ----- BEGIN PRIVATE KEY ----- -----END PRIVATE KEY ------ -----BEGIN PUBLIC KEY ----- -----END PUBLIC KEY -----
Change the certificate file extension from CRT or CER to PEM in this example.
If the certificate file contains binary data, it cannot be viewed as a text file. Such a CER/CRT file containing a certificate in binary format (DER) can be converted to Base64 ASCII certificate format (PEM) using one of the methods described below.
Converting Binary CRT to PEM using the Certificate Export Wizard in Windows
In Windows, you can convert CERs to the PEM certificate file format using the built-in Certificate Export tool. It can be used to convert a CRT file or export an installed certificate from the certificate store.
Locate the CRT file and double-click to open it.
Or run the Certificate Manager MMC snap-in:
- certlm.msc – to export local machine certificate
- certmgr.msc – to export user certificate
Open the certificate properties, navigate to the Detail tab and click Copy to file.
Select Base-64 encoded X.509 (.CER) format in the Certificate Export Wizard and click Next.
Specify the filename to export and click Next (he filename extension will automatically be set to *.cer).
When the export is complete, locate the exported CER file and rename it to change the extension to PEM.
Converting Binary CRT to PEM using OpenSSL
To convert SSL certificates into the appropriate format, you can use the OpenSSL library. OpenSSL is primarily a Linux tool available out-of-the-box in most distros, but you can also use it on Windows. To install OpenSSL, use the OpenSSL for Windows port, or install it using the WinGet package manager:
winget install ShiningLight.OpenSSL.Light
The command and syntax for converting a binary CRT file to PEM is the same whether you’re using Linux or Windows:
openssl x509 -in <BINARY CRT FILE> -inform DER -out <PEM OUTPUT FILE> -outform PEM
Go to the directory with the OpenSSL binaries:
cd "C:\Program Files\OpenSSL-Win64\bin"
Convert the certificate file:
./openssl x509 -in "C:\temp\mycert.cer" -inform DER -out "C:\temp\mycert_converted.pem" -outform PEM
Open the PEM file in any text editor and confirm that it contains ASCII text.
Cyril Kardashevsky
I enjoy technology and developing websites. Since 2012 I’m running a few of my own websites, and share useful content on gadgets, PC administration and website promotion.
Convert Certificates KB ID 0001847
Problem
This post was written because of a follow up question in this article. How do you go about convert certificates? Sometimes you get a certificate issued or sent toy you that is in a format you cannot import, so you need to convert it. Regardless of whether you are a mac/Linux user or a Windows user, the tool that I find best to use is OpenSSL.
OpenSSL is built into macOS to use OpenSSL on Windows you need to download, install, then run the openssl.exe (usually form command line, but you can also run from PowerShell (Note: See comment below if you intend to use PowerShell).
Linux Note: To install OpenSSL, different flavours of Linux differ e.g. sudo apt-get install openssl should work in most cases.
Windows Note: Remember to change to the directory in which OpenSSL.exe resides before executing the following command(s). See the Windows Examples for clarification.
Solution : Convert Certificates
The most common form of issued x509 certificates have a .crt or a .cer extension, CRT is based on DER Distinguished Encoding Rules, and the other (CER) is based on PEM Privacy Enhanced Mail. OpenSSL can convert form one to the other. Note: Below I’ve shown the process on my mac and a Windows PC to illustrate the process is the same.
Convert Certificates CRT to CER
Use the following Syntax to convert from CRT to CER format. (Change the values in Red to match your source and destination certificate locations).
openssl x509 -inform PEM -outform DER -in /Users/petelong/CERTS/Source-Certificate.crt -out /Users/petelong/CERTS/Output-Certificate.cer
Convert Certificates CER to CRT
Use the following Syntax to convert from CER to CRT format. (Change the values in Red to match your source and destination certificate locations).
openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/Source-Certificate.cer -out /Users/petelong/CERTS/Output-Certificate.crt
Convert Certificates CRT to PEM
Disclaimer: This is a bit of a misnomer, because .crt certificates are already in PEM format. You can simply open a .crt file and view it as a PEM file. Use the following Syntax to view a CRT in PEM format. (Change the values in Red to match your source and destination certificate locations).
Linux / macOS
cat /Users/petelong/CERTS/My-Certificate.crt
Windows
type C:/Certs/My-Certificate.crt
Then copy the ‘text’ as shown in the examples above. DO NOT include any additional spaces (as shown above). And you have a PEM file you can paste this into a text editor and save it with a .pem extension if you need to ‘send’ it somewhere.
Can I simply rename .crt to .pem (YES YOU CAN)
Convert Certificates CER to PEM
This is slightly more complicated as .cer files are in DER format, if you try and open one with a text editor you will simply see gobbledegook. So you need to convert it into PEM format with he following syntax.
openssl x509 -inform DER -outform PEM -in /Users/petelong/CERTS/My-Certificate.cer -out /Users/petelong/CERTS/PEM-Certificate.pem
Once that’s done (as above) you can simply open the .pem file in a text editor or cat (mac/Linux) or type (Windows) the content.
Converting Certificates (PowerShell)
Be Aware: When calling OpenSSL form a PowerShell command, you need to prefix the command with a ‘dot slash’ see the examples below for clarification.
Related Articles, References, Credits, or External Links
Digital Certificates Explained
Convert CRT to PEM Format Using OpenSSL: Step-by-Step Guide
Are you struggling to convert your CRT certificate to PEM format? then you’re not alone. Do you know many website owners, IT administrators, and developers face challenges when they are dealing with SSL certificates, especially when different servers and applications require specific formats.
In this guide, we’ll show you how to use the OpenSSL tool to quickly and correctly convert a CRT file to PEM (Privacy-Enhanced Mail) format.
Whether you are managing multiple certificates or just need a one-time conversion, this step-by-step process will help you avoid errors and maintain compatibility with your system.
First, you need to know what is the CRT and PEM file formats.
Overview of CRT and PEM File Formats
When setting up SSL/TLS certificates, it’s important to understand the different file types used. Two common types are CRT and PEM.
These file types hold SSL certificates and related security information. They help make sure that information sent between a website and a user is secure and trusted.
What is a CRT file?
A CRT file is a digital certificate issued by a Certificate Authority (CA) to verify the authenticity of a website or organization. It helps establish secure connections and is commonly used in SSL encryption for HTTPS communication.
CRT files can be in binary DER or Base64-encoded PEM format and are typically installed on web servers.
What is a PEM file?
A PEM file (Privacy-Enhanced Mail) is a standard format for storing and transmitting SSL/TLS certificates, private keys, and CA bundles. It is Base64-encoded and contains certificates enclosed between ——BEGIN CERTIFICATE—— and ——END CERTIFICATE—— markers.
What are the Prerequisites for Conversion
Before converting a CRT file to PEM, you have to follow the below three things:
- — OpenSSL is installed on your system.
- — The certificate file (CRT) is accessible.
- — If required, the private key and CA bundle files are available.
To check if OpenSSL is installed, run the following command:
openssl version
If OpenSSL is not installed, download and install it from OpenSSL’s official website.
Steps to Convert CRT to PEM Using OpenSSL
Sometimes, SSL certificates need to be in different formats for different systems. CRT files are commonly used, but PEM format is often required for broader compatibility.
OpenSSL makes it easy to convert your CRT file into PEM format, as shown in the following steps.
Step 1: Basic Conversion Command
To convert a CRT file to PEM format, open a terminal or command prompt and run:
openssl x509 -in certificate.crt -out certificate.pem -outform PEM
Explanation of the command:
- openssl x509 – Calls OpenSSL to process an X.509 certificate.
- -in certificate.crt – Specifies the input CRT file.
- -out certificate.pem – Defines the output PEM file.
- -outform PEM – Make sure the output format is PEM.
Step 2: Converting CRT with Private Key
If your private key is stored separately, you may need to combine it with the certificate:
cat certificate.crt privatekey.key > certificate.pem
This merges the certificate and private key into a single PEM file.
Step 3: Converting a CRT with Full Certificate Chain
For complete SSL chain compatibility, merge the certificate, private key, and CA bundle:
cat certificate.crt privatekey.key ca_bundle.crt > fullcertificate.pem
This confirms the certificate works with browsers and servers that require the full chain.
Step 4: Verifying the Converted PEM File
To confirm that the PEM file is correctly formatted, use:
openssl x509 -in certificate.pem -text -noout
This command displays the certificate details without modifying the file.
Common Errors and Troubleshooting
Error -1 : «Unable to load certificate»
Solution: Make sure the correct file path is specified and the file is not corrupted.
Error -2 :File format mismatches
If a file is not in the expected format, OpenSSL may fail to process it. Use:
file certificate.crt
This will display the file type. If needed, convert it to the correct format before proceeding.
You can also refer this article DER to PEM, CER to PEM, and CER to PFX for more format changes.
Conclusion
Converting a CRT file to PEM format is a straightforward process using OpenSSL. This conversion is often necessary for different server environments and security configurations.
By following the steps outlined above, you can achieve a smooth transition between certificate formats, enabling secure communication and proper SSL implementation.
If you have a CRT file in the binary format, it can be converted by using the OpenSSL tool for Windows. First of all, you will need to download the archive with the OpenSSL binaries (openssl-0.9.th-1-bin.zip) and extract it to the local folder such as C:\OpenSSL. Then, copy the .crt file to the same place. When it is done, run the command prompt with the administrator privileges and go to the folder:
cd C:\OpenSSL\bin
if the crt file is located in the binary format, then you will have to run the following command if you want to convert it to the PEM format:
Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem
Do not forget to change the file names of the certificates to your own. That is the command that will help you to convert the DER certificate file such as CTR to PEM. Keep in mind that when you are converting your certificate files to some different formats using OpenSSL, your certificate private data is secured since it is never located by the OpenSSL during the file conversion.
After you have executed the command, the new file named my_certificate.crt.pem should occur in the same folder. Upon seeing it, open it and make sure it is encoded in Base64. You can import this certificate now to the web server or any place that you want.
In case you get an error saying that you are unable to load the config info from the /usr/local/ssl/openssl.cnf when you run the openssl.exe tool, it means you will have to set up a new Windows environment variable by using this command below:
Set OPENSSL_CONF=C:\openssl\share\openssl.cnf
Once the command has been set up, re-run the Command Prompt window and try to execute a command in order to convert your certificate file from the CTR to PEM file format.
When you are on Windows 10 or Windows Server 2016, you are able to convert the CER to PEM certificate file format from the Windows built-in certificate export tool. Here are the steps to convert it:
- The first thing that should be done is to run the File Explorer, find, and double click your .cer file.
- Then, go to the Details tab in the certificate properties window and click on the Copy to File button.
- The next thing that you will have to do is to press Next on the first step of Certificate Export Wizard.
- After that, you will need to choose the certificate export format. Please choose the option BASE-64 encoded X.509 (.CER) and click Next.
- In the fifth step, you should specify the file name.
- Once it is done, press the Finish button.
- Now, it is time for you to change the certificate file extension from the .cer to .pem. here is the PowerShell command that you can use:
rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem
- Do not forget to make sure that the file format is Base64:
cat c:\ps\new_cert.pem
For those the users of Linux who want to convert the CRT SSL certificate to PEM, the instructions that you will need to follow are different than the ones above.
- In the beginning, you will have to install the OpenSSL package.
- Then, install the OpenSSL on RedHat/CentOS/Fedora as follows:
yum install openssl
- When you are on Debian or Ubuntu distros, the package is able to be installed using the APT:
apt-get install openssl
- In order to convert the CER file to PEM format using openssl, you can just run the command below:
openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem
Note: tstcert.cer means source certificate file and tstcert.pem means target pem file
X.509 digital certificates refers to the certificates that are usually used to assert the identify of an organization and to protect the data integrity. There are some different kinds of digitally encoded and or signed documents that include code signing certificates, SSL or TLS certificates, personal authentication and S/MIME certificates, and so on.
The x.509 certificates can have a few different types of file extension that you are able to convert the certificates and the keys to, such as:
- .PEM (Private enhanced electronic mail)
- .CRT or .CER (Certificate)
- .DER (Distinguished encoding rules)
PEM is named as the most well-known SSL certificate format issued by certification authority centers with some different file extensions like .crt, .pem, .cer, or .key. As you probably know, the certificate files have the extension .crt, .pem, .cer, or .key. They are encoded in the Base64 and usually start with the line —– BEGIN CERTIFICATE —– and end with the line —– END CERTIFICATE —–.
Apparently, the PEM certificate can consist of both the certificate and the certificate private key in the same file. They are encoded in the text ASCII Base64 format, and they can be viewed in any text editor. For your information, Nginx, Apache, and similar web servers are using the SSL certificates in the PEM file format.
People may have some reasons why they want to convert them to the other formats. Some of the reasons include the server is not approving of the existing file format or the file is not compatible with the software. It does not matter the reason behind it, the converting process can be done easily using OpenSSL.
Before converting the CTR to PEM file format, you will have to check if the certificate file is not already in the PEM format. Make sure that it really has a .crt extension. You can check it by opening the .crt file using any text editor that you want or listing its contents using PowerShell:
gc .cert.crt
If the file starts with —–BEGIN and it is readable in the text editor, it means the file already uses the base64 format, which is able to be read in ASCII. On the other words, the certificate is already in the PEM format and you just need to change the file extension from .crt to .pem in the Windows File Explorer.
AUTHOR BIO
On my daily job, I am a software engineer, programmer & computer technician. My passion is assembling PC hardware, studying Operating System and all things related to computers technology. I also love to make short films for YouTube as a producer. More at about me…