Before covering how to convert to pem from different certificate formats let us define what each of the certificate file extensions means.
.pem – Privacy Enhanced Mail Certificate. A PEM file is Base64 encoded and may be an X.509 certificate file, a private key file, or any other key material. PEM encoded files are commonly used in Apache and Tomcat servers.
.crt – Shorthand way to say “cert”, the .crt file extension is a security extension that may be either Base64 encoded or binary. Most commonly, .crt is a Base64 encoded certificate.
.cer – Shorthand way to almost say “cert”, the .cer file extension is an Internet Security Certificate that may be either Base64 encoded or binary. Most commonly, .cer is a binary certificate.
.der – The .der file extension is for a certificate file in binary format.
.pfx – The .pfx file extension is a PKCS12 certificate bundle which may contain an end entity certificate, a certificate chain, and matching private key. .pfx can be interchanged with .p12 and may be protected by a password.
.p12 – Personal Information Exchange File that is encrypted with a password and is interchangeable with the .pfx file extension.
.ppk – PuTTY Private Key File. This is a private key file created by the putty key generator used for ssh.
.jks – Java Keystore File. A file encrypted with a password used in a Java program. Similar to the .p12 file, but .jks is considered proprietary.
Most of the conversions are done with OpenSSL.
PEM conversion examples
convert pem to crt
To convert a pem encoded certificate to a .crt extension, simply rename the file. This assumes you want .crt to be Base64 encoded. To convert pem file to crt in linux, run:
mv cert.pem cert.crt
convert crt to pem
To convert a crt file to pem file, do the same as in the previous example, simply rename it and change the file extension. To convert crt to pem windows, just rename the file in Windows as you would any file.
convert pem to cer
To convert a pem encoded certificate to a .cer extension, simply rename the file. This assumes you want .cer to remain Base64 encoded. If you want the .cert to be .der encoded follow the pem to der instructions below. To perform this conversion in linux, run:
mv cert.pem cert.cer
Another commonly used search term is convert pem to cert. A pem encoded certificate is already a “cert”, and the .cert file extension isn’t a “real” extension, so it is better to used an already defined file extension such as .cer, .pem, or .crt. This example demonstrated how to convert pem to cer.
convert pem to pfx
This example will demonstrate how to convert pem to pfx. Also searched for as convert pem pfx, to convert a pem encoded certificate or file to pfx you must have the certificate and the matching private key. Optionally you may include the certificate chain. A more detailed example can be found in our article on PKCS12. Note that this example will work on any pem encoded files regardless of the extension.
openssl pkcs12 -export -out keystore.pfx -inkey key.pem -in certificate.pem -certfile chain.pem
To convert pem to pfx without private key, run the following command making sure to include the -nokeys flag.
openssl pkcs12 -export -out test.pfx -nokeys -in test.pem
convert pfx to pem
To convert pfx to pem using openssl you should export the contents of the file.
openssl pkcs12 -in test.pfx -out test.pem -nodes
convert pem to pkcs12
This example will demonstrate how to with openssl convert pem to p12. To convert pem certificate to pkcs12 do exactly the same as converting pem to pfx as shown above, except for the file extension.
openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in certificate.pem -certfile chain.pem
convert pem to jks
It is less common to convert a pem to jks than it is to convert a pem to pkcs12. For that reason it is first necessary to convert the pem to pkcs12 as demonstrated above. Then with the Java keytool run the following command to finalize the pem conversion to jks.
keytool -importkeystore -srckeystore cert.p12 -scrstoretype pkcs12 -destkeystore cert.jks
For more details on importing a keystore into another keystore as shown here see this article.
convert pem to p7b
openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile CACert.cer
convert pem to ppk
To convert a pem encoded certificate to ppk format, you must first install putty.
sudo apt install putty-tools
Then run the following command to perform the conversion to ppk.
sudo puttygen key.pem -o key.ppk -O private
This example demonstrated how to convert pem file to ppk.
convert ppk to pem
To convert ppk to pem, run the following command:
sudo puttygen key.ppk -O private-openssh -o key.pem
This command can be used to convert ppk to pem mac as well with putty tools installed. To convert ppk to pem windows, use the putty console.
convert pem to key
This example will demonstrate how to with openssl convert pem to key. A pem encoded private key can simply be renamed to have a .key file extension. On linux, perform the following command to convert pem to key:
mv key.pem key.key
Renaming the file was all that was needed to convert pem to private key. Any key type is supported by renaming it, convert pem to rsa, convert pem to ecdsa, etc.
convert pem to der
openssl x509 -outform der -in certificate.pem -out certificate.der
This article has demonstrated how to perform many different file conversions to and from pem format. If you would like for us to develop a way to convert to pem online let us know in the comments. Also leave us a comment with any questions or requests for additional examples.