How to convert SSL-certificates from PEM- to DER-format and vis versa

2017-03-02 · 2 min · Steffen Clausjuergens

Table of Contents

Common parameter to both conversions
Converting from PEM- to DER-format
Converting from DER- to PEM-format
Links

SSL-certificates are often exchanged and stored in “PEM”-format.
The PEM-format is a Base64 encoded version of the binary certificate.

But some systems, like Windows, prefer a binary encoded version called DER-format.

This article will show how to convert one format into the other using openssl on the command line:

Common parameter to both conversions

openssl x509 : the OpenSSL tool to handle SSL certificate.
-in <filename> set the filename from which to fetch the certificate.
If omitted it will use stdin.
-out <filename> set the filename where to write the certificate to. If omitted it will use stout.
filename extensions:
.pem is only used for PEM encoded files, .der only for DER encoded, but
.cer, .crt are used for certificates in both formats.

Converting from PEM- to DER-format

openssl x509 -inform PEM -in PEM-filename.pem -outform DER -out DER-filename.der

options -in and -out see above
-inform PEM (default if omitted) expects the certificate in PEM format.
-outform DER writes the certificate in DER format.

Converting from DER- to PEM-format

openssl x509 -inform DER -in DER-filename.der -outform PEM -out PEM-filename.pem

options -in and -out see above
-inform DER expects the certificate in DER format
-outform PEM (default if omitted) shows the certificate in PEM format.

Links

Wikipedia article about X.509 certificates including their formats
OpenSSL man pages
[update:] I wrote two Bash-scripts for this certificate conversions an put them into my git repository “openSSLscripts” on GitHub.