How to Use OpenSSL to Convert Certificates Between PEM and DER

Summary

This document describes how to use OpenSSL to convert an x509 certificate and/or RSA key from PEM to DER encoding or vice versa.

Requirements

You must have a working installation of the OpenSSL software and be able to execute openssl from the command line. Refer to CTX106627 - How to Install the OpenSSL Toolkit for more information on obtaining and installing OpenSSL.

Background

x509 certificates and RSA keys can be stored using a number of different formats. Two common formats are DER (a binary format used primarily by Java and Macintosh platforms) and PEM (a base64 representation of DER with header and footer information which is used primarily by UNIX and Linux platforms). There is also an obsolete NET (Netscape server) format which was used by earlier versions of IIS (up to and including 4.0) and various other less common formats which are not covered in this article.

A key and corresponding certificate as well as the root and any intermediate certificates can also be stored in a single PKCS#12 (.P12, .PFX) file, as explained in CTX106630 - How to Use OpenSSL to Create PKCS#12 Certificate Files.

Procedure

Use the openssl command to convert between formats as follows:

To convert a certificate from PEM to DER:
x509 –in input.crt –inform PEM –out output.crt –outform DER
To convert a certificate from DER to PEM:
x509 –in input.crt –inform DER –out output.crt –outform PEM
To convert a key from PEM to DER:
rsa –in input.key –inform PEM –out output.key –outform DER
To convert a key from DER to PEM:
rsa –in input.key –inform DER –out output.key –outform PEM

Note: If the key you are importing is encrypted with a supported symmetric cipher you will be prompted to enter the passphrase.

Note: To convert a key to/from the obsolete NET (Netscape server) format, substitute NET for PEM or DER as appropriate. The key is stored encrypted using a weak unsalted RC4 symmetric cipher so a passphrase will be requested, although a blank passphrase is acceptable.

More Information

For more information about OpenSSL, refer to the OpenSSL Web site.

Keys are sensitive information and should be stored carefully and encrypted using a strong passphrase and cipher. You can use the DES, Triple DES, IDEA, or 128, 192, or 256 bit AES symmetric ciphers by adding a des, des3, idea, aes128, aes192 or aes256 flag to the command line.

If you do not have access to the passphrase for an encrypted key it is unlikely you will be able to retrieve the key itself and will need to generate a new key and corresponding certificate(s).

Key sizes of up to 4096 bit are supported by ICA Clients on the Windows platform and 2048 bit on non Windows platforms. See CTX750591 – Error: There was a problem reading a security certificate for more information.