Key and Certificate format conversions

In my previous post I outlined how we can manage keys and certificates with OpenSSL. In this post we shall look into various key/certificate formats and how to convert one to a targeted format.

Historically, keys and certificates have been stored in different formats. Advancement in key management infrastructure has led to development of various formats. Different tools support different formats too. Thus it would be handy to know how to convert one format to another. Let’s first take a look at some popular formats.

Binary (DER) format

A certificate of this format contains a raw X.509 certificate with DER ASN.1 encoding. DER private keys are also in the raw ASN.1 encoded format.

ASCII (PEM) format

Privacy Enhanced Mail (PEM) certificate is a base64-encoded DER certificate with — — BEGIN CERTIFICATE — — used as the header and — — -END CERTIFICATE — — — as the footer. Usually there’s only one certificate in a single file, although there can be many.

A PEM key is a base64 encoded DER key with possibly additional metadata included.

PKCS#7 format

This certificate is found in .p7b or .p7c extensions and contain the entire certificate chain in a single file. Used to transport signed and encrypted data and is defined in RFC 2315

PKCS#12 (PFX) format