Here is all the references used for certificates (format, management, creation or revocation, in example).



Introduction to the different existing format from the certificates' landscape.

PEM Format(Edit)

  • Extensions such as .pem, .crt, .cer, .key;
  • Contains the lines
  • Base64 encoded ACII files;
  • Most common format that Certificate Authorities issue certificates in;
  • Used by Apache and other;
  • Several PEM certificates and even the Private key can be included in one file, one below the other. But most platforms(eg: Apache) expects the Certificates and Private key to be in separate files.

DER Format(Edit)

  • Extensions .cer & .der ;
  • Binary form of ASCII PEM format certificate ;
  • All types of Certificates & Private Keys can be encoded in DER format ;
  • Typically used in Java platform ;


  • Extensions: .p7b, .p7c;
  • Contains
    —–BEGIN PKCS—–
    —–END PKCS7—–
  • Base64 encoded ASCII files;
  • Can contain the Certificates & Chain certificates but not the Private key;
  • Several platforms supports it. eg: Windows OS, Java Tomcat


  • Extensions .pfx, .p12;
  • Binary format files
  • Used for storing the Server certificate, any Intermediate certificates & Private key in one encryptable file.
  • Typically used on Windows OS to import and export certificates and Private keys


If your server/device requires a different certificate format other than Base64 encoded X.509, a third party tool such as OpenSSL can be used to convert the certificates into the appropriate format. For information on OpenSSL, visit: www.openssl.org

Convert x509 to PEM(Edit)

openssl x509 -in certificatename.cer -outform PEM -out certificatename.pem

Convert PEM to DER(Edit)

openssl x509 -outform der -in certificatename.pem -out certificatename.der

Convert DER to PEM(Edit)

openssl x509 -inform der -in certificatename.der -out certificatename.pem

Convert DER to CER(Edit)

openssl x509 -inform der -in certificatename.der -out certificatename.cer

Convert PEM to P7B(Edit)

The PKCS#7 or P7B format is stored in Base64 ASCII format and has a file extension of .p7b or .p7c.

A P7B file only contains certificates and chain certificates (Intermediate CAs), not the private key. The most common platforms that support P7B files are Microsoft Windows and Java Tomcat.

openssl crl2pkcs7 -nocrl -certfile certificatename.pem -out certificatename.p7b -certfile CACert.cer

Convert PKCS7 to PEM(Edit)

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.pem

Convert PKCS#12 to PEM(Edit)

The PKCS#12 or PFX format is a binary format for storing the server certificate, intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

openssl pkcs12 -in certificatename.pfx -out certificatename.pem

Convert PKCS#12 to CER(Edit)

openssl pkcs12 -in certificatename.pfx -out certificatename.crt -nokeys -clcerts

Convert PFX to PKCS#8(Edit)

This requires 2 commands:

  • STEP 1: Convert PFX to PEM

openssl pkcs12 -in certificatename.pfx -nocerts -nodes -out certificatename.pem

  • STEP 2: Convert PEM to PKCS8

openSSL pkcs8 -in certificatename.pem -topk8 -nocrypt -out certificatename.pk8

Convert P7B to PFX(Edit)

This requires 2 commands

  • STEP 1: Convert P7B to CER

openssl pkcs7 -print_certs -in certificatename.p7b -out certificatename.cer

  • STEP 2: Convert CER and Private Key to PFX

openssl pkcs12 -export -in certificatename.cer -inkey privateKey.key -out certificatename.pfx -certfile  cacert.cer

Key Storing(Edit)

Solutions used to provide safe containers to store the certificate and the associated private key.


Used by Java, with the Keytool utils.

load existing public/private keys in keystore(Edit)

Not initally planned, it is however supposed to be available since Java 6. But still useful!

openssl pkcs12 -export -in ./cert/my_certificate.cer -inkey ./cert/my_certificate_key.key -certfile ./cert/my_certificate.cer -name my_certificate_name -out ./cert/my_keystore.p12 -descert
keytool -importkeystore -srckeystore ./cert/my_keystore.p12 -srcstoretype pkcs12 -destkeystore ./cert/keystore.jks -deststoretype JKS

Import public key in keystore(Edit)

keytool -import -trustcacerts -keystore ./cert/my_keystore -alias root -file ./cert/my_certificate_2.cer

List keys in keystore(Edit)

keytool -list -keystore ./cert/my_keystore

Password keystore as OBF string(Edit)

java -cp /opt/rsa/jetty9/lib/jetty-util* org.eclipse.jetty.util.security.Password 'PWD$'


To be continued...


  • Arun GP, 2011. How to Convert certificates between PEM, DER, P7B/PKCS#7, PFX/PKCS#12. My Online Storage of Knowledge.

online https://myonlineusb.wordpress.com/2011/06/19/how-to-convert-certificates-between-pem-der-p7bpkcs7-pfxpkcs12/ accessed on March 27, 2017

  • Thawte Support, 2016. How to convert a certificate into the appropriate format. Thawte.

online https://search.thawte.com/support/ssl-digital-certificates/index?page=content&actp=CROSSLINK&id=SO26449 accessed on March 24, 2017

  • Wistee Support. Convertir un certificat SSL vers d'autres formats / extensions avec OpenSSL. Wistee.

online https://www.wistee.fr/tutoriels-ssl/convertir-openssl.html accessed on March 27, 2017

  • Gtrig. Importing the private-key/public-certificate pair in the Java KeyStore [duplicate]. StackOverflow.

online http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore accessed on March 29, 2017

  • Erickson. Can a Java key store import a key pair generated by OpenSSL?. StackOverflow.

online http://stackoverflow.com/questions/2685512/can-a-java-key-store-import-a-key-pair-generated-by-openssl accessed on March 29, 2017

  • Graham Leggett, 2010. "Find It, Fix It, Move On With Your Life". Cunning.

online http://cunning.sharp.fm/2008/06/importing_private_keys_into_a.html accessed on March 29, 2017

Smrdec, 2014. Creating Java keystore from existing private key and certificate. Groggy Man.

online https://groggystuff.wordpress.com/2014/05/15/creating-java-keystore-from-existing-private-key-and-certificate/ accessed on March 29, 2017