Knowledge

Convert SSL certificate formats with OpenSSL

#Security

Certificates come in PEM, CRT, CER, DER, and PFX formats, and software is picky about which one it wants. Here are the openssl commands to convert between all of them.

Published by Mark van Eijk on June 23, 2026 · 1 minute read

  1. The formats, quickly
  2. PEM and CRT
  3. PEM to DER
  4. DER to PEM
  5. PFX to PEM (certificate and key)
  6. PEM/CRT and key to PFX
  7. Verify the result

The formats, quickly

Before converting, it helps to know what you actually have:

  • PEM — Base64 text, starts with -----BEGIN CERTIFICATE-----. The most common format on Linux. Can hold a certificate, a key, or a whole chain.
  • CRT / CER — usually just a PEM (or DER) certificate with a different file extension.
  • DER — the binary version of a PEM certificate. Common in the Windows and Java world.
  • PFX / P12 — a binary, password-protected bundle holding the certificate and its private key together. Standard on Windows / IIS.

Everything below uses the openssl command line tool.

PEM and CRT

These are typically the same format, so converting is often just a rename. To be safe, normalise to PEM:

openssl x509 -in certificate.crt -out certificate.pem -outform PEM

PEM to DER

openssl x509 -in certificate.pem -outform DER -out certificate.der

DER to PEM

openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

PFX to PEM (certificate and key)

A PFX bundles both parts. To pull them out into a single PEM file:

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

If you only want one part, see the dedicated guides for extracting the certificate from a PFX file and extracting the private key from a PFX file.

PEM/CRT and key to PFX

Going the other way — bundling a certificate and its private key into a PFX for Windows or IIS:

openssl pkcs12 -export -out certificate.pfx \
  -inkey private.key -in certificate.crt

Add the intermediate certificate so the bundle carries the full chain:

openssl pkcs12 -export -out certificate.pfx \
  -inkey private.key -in certificate.crt -certfile intermediate.crt

You'll be prompted for an export password, which whoever imports the PFX will need.

Verify the result

After any conversion, confirm the certificate is readable and contains what you expect:

openssl x509 -in certificate.pem -noout -text

If your goal is a working HTTPS setup, make sure the certificate you serve includes the intermediates — see what is an SSL certificate chain.

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

Related articles

How to extract private key from PFX file

Certificates come in PEM, CRT, CER, DER, and PFX formats, and software is picky about which one it wants. Here are the openssl commands to convert between all of them.

Read more →

How to extract the certificate from a PFX file

Certificates come in PEM, CRT, CER, DER, and PFX formats, and software is picky about which one it wants. Here are the openssl commands to convert between all of them.

Read more →