GMO GlobalSign | Converting Certificates - OpenSSL

Converting Certificates From One Format to Another

There are several different file formats that can be used to hold certificates and their private keys each with their own benefits. Applications often use different file formats which means that from time to time you may need to convert your certificates from one format to another. To understand how to convert one certificate from one format to another it’s useful to understand how to identify the formats:

Privacy Enhanced Mail (PEM) – This is one of the most common formats you will see, its easily identifiable because it always starts and ends with “PEM Armor”, this is a header and a footer that declares what is in-between them. For example:

——-BEGIN CERTIFICATE——-

——-END CERTIFICATE——-

Or

——-BEGIN PRIVATE KEY——-

——-END PRIVATE KEY——-

Or

——-BEGIN PKCS7——-

——-END PKCS7——-

PKCS #7 B (P7B) – This format is the "Cryptographic Message Syntax Standard". It generally contains a full certificate chain including the root, intermediate, and end-entity certificate. This is the format that is generally appended to digital signatures.

PKCS #12/PFX/P12 – This format is the "Personal Information Exchange Syntax Standard". A .pfx will hold a private key and its corresponding public key. It may also include intermediate and root certificates. Pfx/p12 files are password protected. These can be readily imported for use by many browsers and servers including OS X Keychain, IIS, Apache Tomcat, and more.

Base64 – This is the standardized encoding for .pem files, though other file extensions such as .cer and .crt may also use Base64 encoding.

DER – Distinguished Encoding Rules; this is a binary format commonly used in X.509 certificates.

​While all of this can be a little confusing, thankfully OpenSSL can help you go from one format to another fairly easily. GNU/Linux platforms are generally pre-installed with OpenSSL. Mac OS X also ships with OpenSSL pre-installed. For Windows a Win32 OpenSSL installer is available.