SSL-certificates are often exchanged and stored in “PEM”-format.
The PEM-format is a Base64 encoded version of the binary certificate.

But some systems, like Windows, prefer a binary encoded version called DER-format.

This article will show how to convert one format into the other using openssl on the command line:

Common parameter to both conversions

  • openssl x509 : the OpenSSL tool to handle SSL certificate.
  • -in <filename> set the filename from which to fetch the certificate.
    If omitted it will use stdin.
  • -out <filename> set the filename where to write the certificate to. If omitted it will use stout.
  • filename extensions:
    .pem is only used for PEM encoded files, .der only for DER encoded, but
    .cer, .crt are used for certificates in both formats.

Converting from PEM- to DER-format

openssl x509 -inform PEM -in PEM-filename.pem -outform DER -out DER-filename.der
  • options -in and -out see above
  • -inform PEM (default if omitted) expects the certificate in PEM format.
  • -outform DER writes the certificate in DER format.

Converting from DER- to PEM-format

openssl x509 -inform DER -in DER-filename.der -outform PEM -out PEM-filename.pem
  • options -in and -out see above
  • -inform DER expects the certificate in DER format
  • -outform PEM (default if omitted) shows the certificate in PEM format.
  • Wikipedia article about X.509 certificates including their formats
  • OpenSSL man pages
  • [update:] I wrote two Bash-scripts for this certificate conversions an put them into my git repository “openSSLscripts” on GitHub.