Certificates2026-02-22

SSL Certificate Formats Explained: PEM, DER, PFX, CER, CRT, and P7B

A complete guide to SSL/TLS certificate file formats — what PEM, DER, PFX/P12, CER, CRT, and P7B mean, when to use each, and how to convert between them.

ssltlscertificatespempfxopensslsecurity

SSL Certificate Formats Explained: PEM, DER, PFX, CER, CRT, and P7B

When working with SSL/TLS certificates, you'll encounter a confusing array of file extensions: .pem, .crt, .cer, .der, .pfx, .p12, .p7b. What do they all mean? When do you use each format? And why does your web server need one format while your Windows machine needs another?

This guide demystifies every certificate format you'll encounter in production.

The Two Fundamental Encoding Formats

Before diving into specific file types, understand that all certificate data ultimately comes in two encodings:

DER (Distinguished Encoding Rules)

DER is a binary format. It's the raw ASN.1 encoding of the certificate data. Compact and efficient, but not human-readable.

# Check if a file is DER-encoded
file certificate.cer
# → certificate.cer: data (binary)

PEM (Privacy Enhanced Mail)

PEM is a Base64-encoded wrapper around DER data, with header and footer lines:

-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvgVpBCRrGhdWrJWZHHSjANBgkqhkiG9w0BAQUFADBh
...
-----END CERTIFICATE-----

PEM was originally defined for email encryption (RFC 1421) but became the standard for storing and transmitting certificates and keys. Text-based, human-readable, and easy to copy-paste.

Key insight: Most file format differences are just different containers or encodings of the same underlying X.509 certificate data.

File Formats by Extension

.pem

Encoding: Base64 (text) Contains: One or more certificates, private keys, or both Used by: Apache, Nginx, HAProxy, most Linux/Unix tools, OpenSSL

The most common format on Linux systems. A single .pem file can contain a full certificate chain:

-----BEGIN CERTIFICATE-----
(your certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(intermediate CA certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(root CA certificate)
-----END CERTIFICATE-----

Or include the private key:

-----BEGIN CERTIFICATE-----
(certificate)
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
(private key)
-----END PRIVATE KEY-----

.crt and .cer

Encoding: PEM (text) OR DER (binary) — context-dependent Contains: Certificate(s), no private key Used by: Both Linux and Windows systems

Confusingly, .crt and .cer can be either PEM-encoded (text) or DER-encoded (binary). On Linux, .crt files are usually PEM. On Windows, .cer is usually DER.

To check which encoding:

openssl x509 -in cert.crt -text -noout
# If this works, it's PEM
# If it errors, try:
openssl x509 -inform DER -in cert.cer -text -noout
# If this works, it's DER

Practically, .crt and .cer are just naming conventions — they contain the same X.509 certificate data as .pem.

.der

Encoding: DER (binary) Contains: Single certificate Used by: Java applications (converted to keystores), some Windows contexts

Pure binary format. Smaller than PEM (no Base64 overhead). Rarely used directly — usually converted to PEM or imported into a keystore.

# Convert DER to PEM
openssl x509 -inform DER -in certificate.der -out certificate.pem

Or use our Convert DER to PEM tool.

.pfx and .p12

Encoding: Binary (PKCS#12) Contains: Certificate + private key + optional certificate chain, password-protected Used by: Windows (IIS, Exchange), Azure, many enterprise systems

PFX (Personal Information Exchange) and P12 are the same format (PKCS#12) with different names. The P12/PFX format bundles everything together — the certificate, the full chain, and the private key — in a single password-protected binary file.

This makes deployment easy: one file, one password. The downside is that the private key is in the bundle, so you must protect the password.

# Export to PFX using OpenSSL
openssl pkcs12 -export -out cert.pfx -inkey private.key -in cert.crt -certfile chain.crt

# Convert PFX to PEM
openssl pkcs12 -in cert.pfx -nokeys -out cert.pem
openssl pkcs12 -in cert.pfx -nocerts -out key.pem

Use our Convert PFX to PEM tool for browser-based conversion.

.p7b and .p7c

Encoding: Base64 (text) — PKCS#7 format Contains: Certificate(s) and chain — no private key Used by: Windows, Java

P7B (PKCS#7) can contain multiple certificates (like the full chain) but never includes the private key. Windows uses this format for certificate chains from certificate authorities.

# Convert P7B to PEM
openssl pkcs7 -print_certs -in cert.p7b -out cert.pem

.key

Encoding: PEM (text) usually Contains: Private key (RSA, ECDSA, etc.) Used by: Apache, Nginx — typically stored separately from the certificate

The .key file holds your private key. Keep it secure — anyone with your private key can impersonate your server.

-----BEGIN PRIVATE KEY-----
(unencrypted private key)
-----END PRIVATE KEY-----

Or encrypted:

-----BEGIN ENCRYPTED PRIVATE KEY-----
(AES-encrypted private key)
-----END ENCRYPTED PRIVATE KEY-----

.csr

Encoding: PEM (text) — PKCS#10 format Contains: Certificate Signing Request — public key + subject info, signed with private key Used by: Sent to Certificate Authorities to request a signed certificate

A CSR is what you send to a CA (like Let's Encrypt, DigiCert, or Sectigo) to get a certificate issued. It contains your public key and information about your domain and organization, signed with your private key to prove you have the corresponding private key.

Use our CSR Decoder to inspect a CSR, or CSR Generator to create one.

Format Comparison Table

Format Encoding Private Key Chain Platform
.pem Base64 text Optional Optional Linux/Unix
.crt PEM or DER No Optional Both
.cer PEM or DER No No Windows
.der Binary No No Java
.pfx/.p12 Binary (PKCS#12) Yes Optional Windows
.p7b Base64 (PKCS#7) No Yes Windows/Java
.key PEM Yes No Linux/Unix
.csr PEM (PKCS#10) No (public key) No All

What Format Does My Server Need?

Apache HTTP Server

SSLCertificateFile    /etc/ssl/certs/cert.pem
SSLCertificateKeyFile /etc/ssl/private/key.pem
SSLCertificateChainFile /etc/ssl/certs/chain.pem

Apache uses separate PEM files: certificate, private key, and optionally the certificate chain.

Nginx

ssl_certificate     /etc/nginx/ssl/cert_chain.pem;  # cert + chain concatenated
ssl_certificate_key /etc/nginx/ssl/private.key;

Nginx uses PEM format but typically wants the certificate and chain concatenated in a single file.

IIS (Windows Server)

IIS uses the Windows Certificate Store. Import .pfx (PKCS#12) files via the MMC certificate snap-in or PowerShell:

Import-PfxCertificate -FilePath cert.pfx -CertStoreLocation Cert:\LocalMachine\My -Password $password

Tomcat (Java)

Java uses keystores (.jks or .p12). Convert PEM to JKS:

# First create P12:
openssl pkcs12 -export -in cert.pem -inkey key.pem -certfile chain.pem -out keystore.p12
# Or import directly into JKS using keytool:
keytool -importkeystore -srckeystore keystore.p12 -srcstoretype PKCS12 -destkeystore keystore.jks

Let's Encrypt (Certbot)

Certbot generates PEM files in /etc/letsencrypt/live/yourdomain.com/:

  • cert.pem — your certificate
  • chain.pem — intermediate chain
  • fullchain.pem — cert + chain (use this for Nginx)
  • privkey.pem — private key

Common Certificate Conversions

PFX/P12 → PEM (extract certificate)

openssl pkcs12 -in cert.pfx -nokeys -out cert.pem

PFX/P12 → PEM (extract private key)

openssl pkcs12 -in cert.pfx -nocerts -nodes -out key.pem

PEM → PFX

openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile chain.pem

DER → PEM

openssl x509 -inform DER -in cert.der -out cert.pem

PEM → DER

openssl x509 -outform DER -in cert.pem -out cert.der

For browser-based conversions without needing OpenSSL installed, use our SSL Converter tool which supports all common certificate format conversions.

Inspecting Certificates

To view certificate details from the command line:

# View PEM certificate
openssl x509 -in cert.pem -text -noout

# View DER certificate
openssl x509 -inform DER -in cert.der -text -noout

# View PFX contents
openssl pkcs12 -in cert.pfx -info -noout

# Check certificate and key match
openssl x509 -modulus -in cert.pem -noout | md5sum
openssl rsa -modulus -in key.pem -noout | md5sum
# Both hashes should match

Or use our browser-based tools:

Understanding the Certificate Chain

A properly configured SSL deployment includes three certificates:

  1. Leaf certificate — your domain's certificate (issued by the intermediate CA)
  2. Intermediate CA certificate — issued by the root CA, not in browsers' trust stores by default
  3. Root CA certificate — self-signed, in all major browsers' trust stores

Your web server needs to send the leaf certificate AND the intermediate chain. Browsers verify the chain up to a trusted root. Missing the intermediate causes "untrusted certificate" errors in some browsers or on some devices.

Check your certificate chain with our SSL Checker tool.

Key Takeaways

  • PEM is the default format on Linux/Unix — text, Base64, human-readable
  • PFX/P12 bundles everything (cert + key + chain) in one password-protected binary — used on Windows
  • DER is binary encoding of a single certificate — used in Java and some Windows contexts
  • CRT/CER are just naming conventions — check the encoding to know what you have
  • Use OpenSSL or our SSL Converter to convert between formats
  • Always keep private keys secure — they're the crown jewels of your PKI

Related Tools

SSL Decoder", slug: "ssl-decoder" }SSL Converter", slug: "ssl-converter" }
← Back to Blog