How to Convert CRT to PEM Easily

If you have a CRT file in the binary format, it can be converted by using the OpenSSL tool for Windows. First of all, you will need to download the archive with the OpenSSL binaries (openssl-0.9.th-1-bin.zip) and extract it to the local folder such as C:\OpenSSL. Then, copy the .crt file to the same place. When it is done, run the command prompt with the administrator privileges and go to the folder:

cd C:\OpenSSL\bin

if the crt file is located in the binary format, then you will have to run the following command if you want to convert it to the PEM format:

Openssl.exe x509 -inform DER -outform PEM -in my_certificate.crt -out my_certificate.crt.pem

Do not forget to change the file names of the certificates to your own. That is the command that will help you to convert the DER certificate file such as CTR to PEM. Keep in mind that when you are converting your certificate files to some different formats using OpenSSL, your certificate private data is secured since it is never located by the OpenSSL during the file conversion.

After you have executed the command, the new file named my_certificate.crt.pem should occur in the same folder. Upon seeing it, open it and make sure it is encoded in Base64. You can import this certificate now to the web server or any place that you want.

In case you get an error saying that you are unable to load the config info from the /usr/local/ssl/openssl.cnf when you run the openssl.exe tool, it means you will have to set up a new Windows environment variable by using this command below:

Set OPENSSL_CONF=C:\openssl\share\openssl.cnf

Set OPENSSL CONF C openssl share openssl.cnf

Once the command has been set up, re-run the Command Prompt window and try to execute a command in order to convert your certificate file from the CTR to PEM file format.

When you are on Windows 10 or Windows Server 2016, you are able to convert the CER to PEM certificate file format from the Windows built-in certificate export tool. Here are the steps to convert it:

  • The first thing that should be done is to run the File Explorer, find, and double click your .cer file.

run the File Explorer, find, and double click your .cer file

  • Then, go to the Details tab in the certificate properties window and click on the Copy to File button.

click on the Copy to File button

  • The next thing that you will have to do is to press Next on the first step of Certificate Export Wizard.
  • After that, you will need to choose the certificate export format. Please choose the option BASE-64 encoded X.509 (.CER) and click Next.

choose the option BASE-64 encoded X.509 (.CER) and click Next

  • In the fifth step, you should specify the file name.

specify the file name

  • Once it is done, press the Finish button.

press the Finish button

  • Now, it is time for you to change the certificate file extension from the .cer to .pem. here is the PowerShell command that you can use:

rename-item C:\PS\new_cert.cer c:\ps\new_cert.pem

  • Do not forget to make sure that the file format is Base64:

cat c:\ps\new_cert.pem

Do not forget to make sure that the file format is Base64

For those the users of Linux who want to convert the CRT SSL certificate to PEM, the instructions that you will need to follow are different than the ones above.

  • In the beginning, you will have to install the OpenSSL package.
  • Then, install the OpenSSL on RedHat/CentOS/Fedora as follows:

yum install openssl

yum install openssl

  • When you are on Debian or Ubuntu distros, the package is able to be installed using the APT:

apt-get install openssl

  • In order to convert the CER file to PEM format using openssl, you can just run the command below:

openssl x509 -inform der -in /home/tstcert.cer -out /home/tstcert.pem

Note: tstcert.cer means source certificate file and tstcert.pem means target pem file

openssl x509 -inform der -in home tstcert.cer -out home tstcert.pem

X.509 digital certificates refers to the certificates that are usually used to assert the identify of an organization and to protect the data integrity. There are some different kinds of digitally encoded and or signed documents that include code signing certificates, SSL or TLS certificates, personal authentication and S/MIME certificates, and so on.

The x.509 certificates can have a few different types of file extension that you are able to convert the certificates and the keys to, such as:

  • .PEM (Private enhanced electronic mail)
  • .CRT or .CER (Certificate)
  • .DER (Distinguished encoding rules)

PEM is named as the most well-known SSL certificate format issued by certification authority centers with some different file extensions like .crt, .pem, .cer, or .key. As you probably know, the certificate files have the extension .crt, .pem, .cer, or .key. They are encoded in the Base64 and usually start with the line —– BEGIN CERTIFICATE —– and end with the line —– END CERTIFICATE —–.

Apparently, the PEM certificate can consist of both the certificate and the certificate private key in the same file. They are encoded in the text ASCII Base64 format, and they can be viewed in any text editor. For your information, Nginx, Apache, and similar web servers are using the SSL certificates in the PEM file format.

People may have some reasons why they want to convert them to the other formats. Some of the reasons include the server is not approving of the existing file format or the file is not compatible with the software. It does not matter the reason behind it, the converting process can be done easily using OpenSSL.

Before converting the CTR to PEM file format, you will have to check if the certificate file is not already in the PEM format. Make sure that it really has a .crt extension. You can check it by opening the .crt file using any text editor that you want or listing its contents using PowerShell:

gc .cert.crt

If the file starts with —–BEGIN and it is readable in the text editor, it means the file already uses the base64 format, which is able to be read in ASCII. On the other words, the certificate is already in the PEM format and you just need to change the file extension from .crt to .pem in the Windows File Explorer.