Certificate Formats
Certificates carry the same data regardless of format. The difference is in how that data is encoded and what additional objects (private keys, chain certificates) are bundled together. Choosing the right format depends on the platform and use case.
PEM (.pem, .crt, .cer)
PEM (Privacy Enhanced Mail) is the most common format on Linux, macOS, and in most open-source tooling. It is Base64-encoded DER wrapped with ASCII header and footer lines. A single PEM file can contain multiple objects (certificates, keys) concatenated together.
-----BEGIN CERTIFICATE-----
MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJ...
-----END CERTIFICATE-----How to identify: open the file in a text editor. If you see -----BEGIN headers, it is PEM.
DER (.der, .cer)
DER (Distinguished Encoding Rules) is the raw binary encoding of the ASN.1 certificate structure. It contains exactly one certificate. Common on Windows and Java platforms. The .cer extension is ambiguous — it may be PEM or DER depending on the source.
How to identify: the file is binary (not human-readable). The first byte is typically 0x30 (ASN.1 SEQUENCE tag).
PKCS#7 (.p7b, .p7c)
A container format defined by RFC 2315 that bundles one or more certificates (typically a certificate chain) but never private keys. Common when exporting chains from Windows Certificate Manager or IIS. Can be PEM-encoded (with -----BEGIN PKCS7----- headers) or DER-encoded.
When to use: distributing certificate chains without private keys, especially on Windows.
PKCS#12 / PFX (.pfx, .p12)
A password-protected binary archive that bundles the private key, the certificate, and optionally the full chain into a single file. This is the format you encounter when exporting from Windows Certificate Store, Kestrel HTTPS configuration, or Azure Key Vault.
In .NET, load a PFX directly:
var cert = new X509Certificate2("server.pfx", "password",
X509KeyStorageFlags.MachineKeySet);Warning
PFX files contain private keys. Treat them like passwords: never commit them to source control, restrict file permissions, and use strong export passwords.
PKCS#8 (Private Keys)
PKCS#8 defines a standard format for private key information. PEM files with -----BEGIN PRIVATE KEY----- (unencrypted) or -----BEGIN ENCRYPTED PRIVATE KEY----- are PKCS#8. Contrast with the older format-specific headers like -----BEGIN RSA PRIVATE KEY----- (PKCS#1). PKCS#8 is algorithm-agnostic and is preferred for new deployments.
Converting Between Formats
OpenSSL handles most conversions. Here are the common ones:
PEM to DER
openssl x509 -in cert.pem -outform der -out cert.derDER to PEM
openssl x509 -in cert.der -inform der -out cert.pemPEM + Key to PFX
openssl pkcs12 -export -out cert.pfx \
-inkey key.pem -in cert.pem -certfile chain.pemPFX to PEM
# Extract certificate
openssl pkcs12 -in cert.pfx -clcerts -nokeys -out cert.pem
# Extract private key
openssl pkcs12 -in cert.pfx -nocerts -nodes -out key.pemPEM to PKCS#7
openssl crl2pkcs7 -nocrl -certfile chain.pem -out chain.p7bFormat Cheat Sheet
| Format | Extensions | Encoding | Private Key | Chain |
|---|---|---|---|---|
| PEM | .pem .crt .cer | Base64 | Separate file | Concatenated |
| DER | .der .cer | Binary | Separate file | No |
| PKCS#7 | .p7b .p7c | PEM or DER | No | Yes |
| PKCS#12 | .pfx .p12 | Binary | Yes (encrypted) | Yes |
| PKCS#8 | .pem .key | PEM or DER | Yes | No |
Need to convert a certificate right now? Try the Format Converter tool — conversions happen entirely in your browser.