Include legacy content

How to Use OpenSSL to Convert Certificates Between PEM and DER

  • CTX106631
  • Created On  Jun 02, 2005
  • Updated On  Mar 27, 2012
  • 116 found this helpful
  • Article
  • Topic : Licensing, Configuration, Connectivity, Installation/Upgrade, Security


This document describes how to use OpenSSL to convert an x509 certificate and/or RSA key from PEM to DER encoding or vice versa.


You must have a working installation of the OpenSSL software and be able to execute openssl from the command line. Refer to CTX106627 - [Document Not Found] for more information on obtaining and installing OpenSSL.


x509 certificates and RSA keys can be stored using a number of different formats. Two common formats are DER (a binary format used primarily by Java and Macintosh platforms) and PEM (a base64 representation of DER with header and footer information which is used primarily by UNIX and Linux platforms). There is also an obsolete NET (Netscape server) format which was used by earlier versions of IIS (up to and including 4.0) and various other less common formats which are not covered in this article.

A key and corresponding certificate as well as the root and any intermediate certificates can also be stored in a single PKCS#12 (.P12, .PFX) file, as explained in CTX106630 - [Document Not Found].


Use the openssl command to convert between formats as follows:

  1. To convert a certificate from PEM to DER:
  2. x509 -in input.crt -inform PEM –out output.crt -outform DER
  3. To convert a certificate from DER to PEM:
  4. x509 -in input.crt -inform DER -out output.crt -outform PEM
  5. To convert a key from PEM to DER:
  6. rsa -in input.key -inform PEM -out output.key -outform DER
  7. To convert a key from DER to PEM:
  8. rsa -in input.key -inform DER -out output.key -outform PEM

Note: If the key you are importing is encrypted with a supported symmetric cipher you will be prompted to enter the passphrase.

Note: To convert a key to/from the obsolete NET (Netscape server) format, substitute NET for PEM or DER as appropriate. The key is stored encrypted using a weak unsalted RC4 symmetric cipher so a passphrase will be requested, although a blank passphrase is acceptable.

More Information

For more information about OpenSSL, refer to the OpenSSL Web site.

Keys are sensitive information and should be stored carefully and encrypted using a strong passphrase and cipher. You can use the DES, Triple DES, IDEA, or 128, 192, or 256 bit AES symmetric ciphers by adding a des, des3, idea, aes128, aes192 or aes256 flag to the command line.

If you do not have access to the passphrase for an encrypted key it is unlikely you will be able to retrieve the key itself and will need to generate a new key and corresponding certificate(s).

Key sizes of up to 4096 bit are supported by ICA Clients on the Windows platform and 2048 bit on non Windows platforms. See CTX750591 – [Document Not Found] for more information.

Share your comments or find out more about this topic

Citrix Forums



Was this helpful?

Thank you for your feedback!

| Terms of Use | Privacy | Governance