Convert SSL certificate formats: PEM, DER, PKCS#12, and PKCS#7
Certificates come in a confusing pile of formats: .pem, .crt, .cer, .der, .p7b, .pfx. They often hold the same data in different wrappers, and picking the wrong one for your server is a common cause of failed installs.
The formats, demystified
- PEM is the most common. It is Base64 text wrapped in
-----BEGIN CERTIFICATE-----lines, and a single PEM file can hold a certificate, its chain, and even the private key stacked together. Apache, nginx, and most Linux tooling expect PEM. The.crt,.cer, and.keyextensions are usually just PEM with a different name. - DER is the same information in raw binary instead of Base64. It is common in Java and some Windows contexts. A
.cerfile may be either PEM or DER, which is part of the confusion. - PKCS#7 (
.p7b,.p7c) is a container for the certificate and its chain, but not the private key. Windows and Java import it to install a trust chain. - PKCS#12 (
.pfx,.p12) is a single password-protected bundle holding the certificate, its chain, and the private key. This is what Windows/IIS and many load balancers want, and what you export to move a full identity between machines.
Choosing the target format
The rule of thumb: nginx and Apache want PEM, Windows/IIS wants PKCS#12, Java keystores often start from DER or PKCS#7, and moving a cert with its key between systems means PKCS#12. When an install fails, a format mismatch (or a chain bundled in the wrong order) is the usual reason.
Converting safely
Conversions are lossless when done right, but PKCS#12 bundles contain the private key, so they should never be uploaded to a third-party service. The SSL Converter runs in your browser, so the key in a .pfx never leaves your machine. If your problem is really a broken chain rather than a format, the SSL certificate chain errors guide covers that specifically.