PEM, DER, P7B/PKCS#7, PFX/PKCS#12 certificates and conversions

COMMON CERTIFICATE FORMATS

PEM Format

It is the most common format that Certificate Authorities issue certificates in. It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg:- Apache) expects the certificates and Private key to be in separate files.

  • They are Base64 encoded ASCII files
  • They have extensions such as .pem, .crt, .cer, .key
  • Apache and similar servers uses PEM format certificates

DER Format

It is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format

  • They are Binary format files
  • They have extensions .cer & .der
  • DER is typically used in Java platform

NOTE: Only way to tell the difference between PEM .cer and DER .cer is to open the file in a Text editor and look for the BEGIN/END statements.

P7B/PKCS#7

They contain “—–BEGIN PKCS—–” & “—–END PKCS7—–” statements. It can contain only Certificates & Chain certificates but not the Private key.

  • They are Base64 encoded ASCII files
  • They have extensions .p7b, .p7c, .p7s
  • Several platforms supports it. eg:- Windows OS, Java Tomcat

PFX/PKCS#12

They are used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.

  • They are Binary format files
  • They have extensions .pfx, .p12
  • Typically used on Windows OS to import and export certificates and Private keys

CONVERTING CERTIFICATES BETWEEN DIFFERENT FORMATS

PEM

  • Convert PEM to DER
$ openssl x509 -outform der -in certificate.pem -out certificate.der
  • Convert PEM to P7B
$ openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CAcert.cer
  • Convert PEM to PFX
$ openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CAcert.crt

DER

  • Convert DER to PEM
$ openssl x509 -inform der -in certificate.cer -out certificate.pem

P7B

  • Convert P7B to PEM
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
  • Convert P7B to PFX
$ openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
$ openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CAcert.cer

PFX

  • Convert PFX to PEM
$ openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes

NOTE: While converting PFX to PEM format, openssl will put all the Certificates and Private Key into a single file. You will need to open the file in Text editor and copy each Certificate & Private key(including the BEGIN/END statements) to its own individual text file and save them as certificate.cer, CAcert.cer, privateKey.key respectively.

(source http://myonlineusb.wordpress.com/2011/06/19/what-are-the-differences-between-pem-der-p7bpkcs7-pfxpkcs12-certificates/)

Advertisements

One thought on “PEM, DER, P7B/PKCS#7, PFX/PKCS#12 certificates and conversions

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s