How to convert certificate formats with OpenSSL

Convert between PEM, DER, and PKCS12 certificate formats using OpenSSL for cross-platform compatibility.

Prerequisites
Step-by-Step: Convert Certificate Formats with OpenSSL
1. Convert PEM to DER Format with OpenSSL
2. Convert DER to PEM Format with OpenSSL
3. Create a PKCS12 (PFX) Bundle with OpenSSL
4. Extract Certificate and Key from a PKCS12 Bundle with OpenSSL
How to Verify the Converted Certificate with OpenSSL
Common Issues When Converting Certificates with OpenSSL

Convert SSL/TLS certificates and keys between PEM, DER, and PKCS12 (PFX) formats using OpenSSL for compatibility with different servers, Java keystores, and Windows certificate stores.

Prerequisites

OpenSSL installed
The certificate and/or key files to convert
Terminal access

Step-by-Step: Convert Certificate Formats with OpenSSL

1. Convert PEM to DER Format with OpenSSL

OpenSSL converts a Base64-encoded PEM certificate to binary DER format with the x509 subcommand:

openssl x509 -in certificate.pem -outform DER -out certificate.der

DER format is required by Java keystores ( keytool) and some Windows applications.

2. Convert DER to PEM Format with OpenSSL

OpenSSL converts a binary DER certificate to Base64-encoded PEM format:

openssl x509 -in certificate.der -inform DER -outform PEM -out certificate.pem

3. Create a PKCS12 (PFX) Bundle with OpenSSL

OpenSSL combines a certificate and its private key into a single PKCS12 file ( .pfx or .p12), which is the format required by Windows IIS and many Java applications:

openssl pkcs12 -export -out certificate.pfx -inkey server.key -in server.crt -certfile chain.crt

The -certfile flag includes intermediate CA certificates in the PKCS12 bundle. OpenSSL prompts for an export password that protects the private key inside the bundle.

4. Extract Certificate and Key from a PKCS12 Bundle with OpenSSL

OpenSSL extracts the certificate and private key from an existing PKCS12 file back into separate PEM files:

openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes -clcerts

The -nodes flag outputs the private key without passphrase encryption. The -clcerts flag extracts only the client certificate, excluding CA certificates.

How to Verify the Converted Certificate with OpenSSL

Inspect the converted file to confirm the format and content:

openssl x509 -in certificate.pem -noout -subject -issuer -dates

Common Issues When Converting Certificates with OpenSSL

OpenSSL returns "unable to load certificate"— The input format flag does not match the actual file format. PEM files start with -----BEGIN CERTIFICATE-----. If the file contains binary data without headers, it is DER format — add -inform DER.

PKCS12 export fails with "error reading key"— The private key file is encrypted with a passphrase. OpenSSL prompts for the key passphrase first, then the export passphrase. Provide the correct key passphrase when prompted.