Before covering how to convert to pem from different certificate formats let us define what each of the certificate file extensions means.

.pem – Privacy Enhanced Mail Certificate. A PEM file is Base64 encoded and may be an X.509 certificate file, a private key file, or any other key material. PEM encoded files are commonly used in Apache and Tomcat servers.

.crt – Shorthand way to say “cert”, the .crt file extension is a security extension that may be either Base64 encoded or binary. Most commonly, .crt is a Base64 encoded certificate.

.cer – Shorthand way to almost say “cert”, the .cer file extension is an Internet Security Certificate that may be either Base64 encoded or binary. Most commonly, .cer is a binary certificate.

.der – The .der file extension is for a certificate file in binary format.

.pfx – The .pfx file extension is a PKCS12 certificate bundle which may contain an end entity certificate, a certificate chain, and matching private key. .pfx can be interchanged with .p12 and may be protected by a password.

.p12 – Personal Information Exchange File that is encrypted with a password and is interchangeable with the .pfx file extension.

.ppk – PuTTY Private Key File. This is a private key file created by the putty key generator used for ssh.

.jks – Java Keystore File. A file encrypted with a password used in a Java program. Similar to the .p12 file, but .jks is considered proprietary.

Most of the conversions are done with OpenSSL.

PEM conversion examples

convert pem to crt

To convert a pem encoded certificate to a .crt extension, simply rename the file. This assumes you want .crt to be Base64 encoded. To convert pem file to crt in linux, run:

mv cert.pem cert.crt

convert crt to pem

To convert a crt file to pem file, do the same as in the previous example, simply rename it and change the file extension. To convert crt to pem windows, just rename the file in Windows as you would any file.

convert pem to cer

To convert a pem encoded certificate to a .cer extension, simply rename the file. This assumes you want .cer to remain Base64 encoded. If you want the .cert to be .der encoded follow the pem to der instructions below. To perform this conversion in linux, run:

mv cert.pem cert.cer

Another commonly used search term is convert pem to cert. A pem encoded certificate is already a “cert”, and the .cert file extension isn’t a “real” extension, so it is better to used an already defined file extension such as .cer, .pem, or .crt. This example demonstrated how to convert pem to cer.

convert pem to pfx

This example will demonstrate how to convert pem to pfx. Also searched for as convert pem pfx, to convert a pem encoded certificate or file to pfx you must have the certificate and the matching private key. Optionally you may include the certificate chain. A more detailed example can be found in our article on PKCS12. Note that this example will work on any pem encoded files regardless of the extension.

openssl pkcs12 -export -out keystore.pfx -inkey key.pem -in certificate.pem -certfile chain.pem

To convert pem to pfx without private key, run the following command making sure to include the -nokeys flag.

openssl pkcs12 -export -out test.pfx -nokeys -in test.pem

convert pfx to pem

To convert pfx to pem using openssl you should export the contents of the file.

openssl pkcs12 -in test.pfx -out test.pem -nodes

convert pem to pkcs12

This example will demonstrate how to with openssl convert pem to p12. To convert pem certificate to pkcs12 do exactly the same as converting pem to pfx as shown above, except for the file extension.

openssl pkcs12 -export -out keystore.p12 -inkey key.pem -in certificate.pem -certfile chain.pem

convert pem to jks

It is less common to convert a pem to jks than it is to convert a pem to pkcs12. For that reason it is first necessary to convert the pem to pkcs12 as demonstrated above. Then with the Java keytool run the following command to finalize the pem conversion to jks.

keytool -importkeystore -srckeystore cert.p12 -scrstoretype pkcs12 -destkeystore cert.jks

For more details on importing a keystore into another keystore as shown here see this article.

convert pem to p7b

openssl crl2pkcs7 -nocrl -certfile certificate.pem -out certificate.p7b -certfile CACert.cer

convert pem to ppk

To convert a pem encoded certificate to ppk format, you must first install putty.

sudo apt install putty-tools

Then run the following command to perform the conversion to ppk.

sudo puttygen key.pem -o key.ppk -O private

This example demonstrated how to convert pem file to ppk.

convert ppk to pem

To convert ppk to pem, run the following command:

sudo puttygen key.ppk -O private-openssh -o key.pem

This command can be used to convert ppk to pem mac as well with putty tools installed. To convert ppk to pem windows, use the putty console.

convert pem to key

This example will demonstrate how to with openssl convert pem to key. A pem encoded private key can simply be renamed to have a .key file extension. On linux, perform the following command to convert pem to key:

mv key.pem key.key

Renaming the file was all that was needed to convert pem to private key. Any key type is supported by renaming it, convert pem to rsa, convert pem to ecdsa, etc.

convert pem to der

openssl x509 -outform der -in certificate.pem -out certificate.der