Certificate File Formats and Conversion

Certificates are often considered to be binary blobs that cannot be expressed in human readable form. In this part of my series about what everybody needs to know about certificates (part 1, part 2 and part 3), I will introduce well-known formats for certificates and private keys and how they can be display in clear text to survey the information therein. When different plattforms are involved, conversions between these formats may be necessary to work with the files.


A very popular format is the text-based Privacy Enhanced Mail (PEM) encoded in Base64 so that it can be exchanged over arbitrary channels without worrying about different character sets (more about PEM and Base64). PEM stores all data relevant to PKI including private and public keys, certificate signing requests and certificates.

One of the formats accepted by Windows is called Canonical Encoding Rules (CER). Although it is fully equivalent to PEM, Windows does not allow private keys to be processed in this fomat – nevertheless this is possible by the use of OpenSSL. Windows only recognizes private keys stored in PFX containers and requires private keys to be password protected. PFX is a predecessor to PKCS#12 but for all purposes of this series, you can rely on information about PKCS#12 to work with Windows. All conversion presented below have been used extensively by the author over the last years.

Trivia: Although Windows is limited to those two formats, requesting a certificate using IIS results in a certificate signing request expressed in PEM. Weird but true.

Why are conversions necessary?

Unfortunately, you can rely on the fact that you will always receive the wrong format for your system when exchanging certificate signing request or certificates. Either you are working with Windows and receive a PEM-formatted certificate for your request or you are attempting to import a certificate into a Linux-based system with only a PFX file on your hands.

In my experience, CAs often provide PEM-formatted information in their communication due to the resilience against different charsets.


OpenSSL is the standard library for working with symetric as well as asymetric encryption. It provides commands for all of the format and protocols contained in this series. It uses PEM as its preferred format but can be instructed to recognized and process all of the formats mentioned in this article (DER, PKCS#12 and PFX as well as several more).

There is a binary distribution for Windows linked to from the OpenSSL homepage (section „Related“ then „Binaries“). It involves the use of the command line to work with OpenSSL.

Viewing File Formats

The following commands demonstrate the use of OpenSSL to view different types of data in PEM-formatted files:

All of the above commands accept the parameters -inform to specify the format of the input file. It is only necessary if PEM ist not used. To view CER or DER-formatted files, use -inform DER.

Common Format Conversions

The following commands demonstrate the use of OpenSSL to convert between formats. note the use of the parameter -outform to force a certain format for the output file.

Key Take Aways

Feedback is always welcome! If you'd like to get in touch with me concerning the contents of this article, please use Twitter.