191

I have a .cer certificate and I would like to convert it to the .pem format.

If I remember correctly, I used to be able to convert them by exporting the .cer in Base64, then renaming the file to .pem .

How do I convert a .cer certificate to .pem?

Stevoisiak
  • 123
  • 8
systempuntoout
  • 2,055
  • 2
  • 13
  • 10

6 Answers6

305

Convert a DER file (.crt .cer .der) to PEM

openssl x509 -inform der -in certificate.cer -out certificate.pem

Source

Craig Watson
  • 9,575
  • 3
  • 32
  • 47
HUB
  • 6,630
  • 3
  • 23
  • 22
  • 24
    Doesn't work for me. The CER file is exported from the Windows certificate export tool. It has the following form: `-----BEGIN CERTIFICATE----- MII...D2H -----END CERTIFICATE-----`. From openssl, I get the following error: `error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1338: error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:390:Type=X509` – Martin Pecka Nov 14 '16 at 00:27
  • 51
    Then your certificate is already in PEM format. Just rename it from `certificate.cer` to `certificate.pem`. – slowhand May 16 '17 at 21:11
  • Earlier asked here – [How to convert .crt to .pem](https://stackoverflow.com/q/4691699/95735) – Piotr Dobrogost Sep 04 '21 at 14:41
24

convert a .cer file in .pem

open a terminal and run the following command

openssl x509 -inform der -in certificate.cer -outform pem -out certificate.pem

Where certificate.cer is the source certificate file you want to convert and certificate.pem is the name of the converted certificate.

Community
  • 1
Akhilesh
  • 341
  • 2
  • 2
17

When openssl is not available on your system you could alternatively convert certificates with the java keytool.

However you have to create a java keystore (JKS) first. The certificates can then be imported and exported in different formats.

keytool -genkey -alias test -keystore <key store file>
keytool -delete -alias test -keystore <key store file>

Converting from DER to PEM:

keytool -import -trustcacerts -alias test -file <der certificate file> -keystore test.keystore 
keytool -exportcert -alias test -file <pem certificate file> -rfc -keystore test.keystore

This blog post explains how to convert certificate formats in detail

Marcel Friedmann
  • 351
  • 2
  • 5
  • I did this and the .pem file is almost identical to the .cer file, just wrapped differently. – endolith May 06 '16 at 15:00
  • 2
    @endolith in that case they are both .pem files. A .cer file can be .der or .pem encoded, this question assumes .der encoding, which you did not have. – eis Sep 20 '16 at 15:00
16

Answer

  • If your certificate is exported with DER encoding, then use the accepted answer:

    openssl x509 -inform der -in certificate.cer -out certificate.pem

  • If your certificate is exported with Base-64 encoding, then rename the file's extension from .cer to .pem since the file is already in .pem format.

How to tell that your .cer file is in .pem format?

See this stack-o answer, quoted here:

A .pem format certificate file will most likely be ASCII-readable. It will have a line that starts with:
-----BEGIN CERTIFICATE-----
...followed by Base-64 encoded data, followed by a
-----END CERTIFICATE-----
at the end. There may be other lines before or after.

For example, a .pem certificate (shortened):

-----BEGIN CERTIFICATE-----
MIIG6DCCBNCgAwIBAgITMgAAGCeh8HZoCVDcnwAAAAAYJzANBgkqhkiG9w0BAQsF
ADBAMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxEzARBgoJkiaJk/IsZAEZFgNkb3Ix
EjAQBgNVBAMTCURPUi1TVUJDQTAeFw0yMDA1MDExNTI0MTJaFw0yMjA1MDExNTI0
MTJaMBYxFDASBgNVBAMTC3dwZG9yd2VibDE2MIIBIjANBgkqhkiG9w0BAQEFAAOC
...
-----END CERTIFICATE-----
Al Dass
  • 103
  • 3
David
  • 414
  • 4
  • 10
3

We mustn't forget that Windows can do this natively:

certutil.exe -encode <der file> <pem file>

and in the other direction:

certutil.exe -decode <pem file> <der file>

It works with certificates and PKCS#10 requests.

garethTheRed
  • 4,539
  • 14
  • 22
0

Just changing the file extension worked for me:

mv filename.cer filename.pem

Mohan
  • 101
  • 2
  • 2
    That only works if the content of the file is already PEM encoded. Changing the file extension does not change the content of the file. In many cases, a program would also not care if the file extension is `der` or `pem`, and rather check the content. – Mime Jul 06 '22 at 13:36