Converting SSL certificates is one of those tasks that looks straightforward until you’re knee-deep in error messages at 11 PM before a deployment. I’ve converted hundreds of certificates across different server setups, and the same situations come up repeatedly: CA sends PEM, server needs PFX. Client needs Java keystore, you only have CRT and KEY files. New server is Windows IIS, old one was Nginx.
This guide covers the real-world conversions you’ll actually need, with exact commands that work. If you prefer a browser-based alternative for simpler operations, the free Certificate Converter handles PEM ↔ Base64 without touching a terminal.
Prerequisites: OpenSSL
You’ll need OpenSSL installed. On Linux and macOS it’s almost certainly already there. On Windows, either use the Linux Subsystem (WSL) or grab a prebuilt binary from slproweb.com or use Git Bash, which bundles OpenSSL.
Check your version:
openssl version
Anything above 1.1.0 handles all the conversions here. OpenSSL 3.x is fine too.
PEM to DER
This is the simplest conversion. You’re just decoding the Base64 and writing raw binary.
openssl x509 -in certificate.pem -outform DER -out certificate.der
If you have a .crt file and it’s PEM encoded (text-readable), the same command works:
openssl x509 -in certificate.crt -outform DER -out certificate.der
DER to PEM
Reverse direction — you need to tell OpenSSL the input format explicitly because DER has no headers:
openssl x509 -in certificate.der -inform DER -outform PEM -out certificate.pem
PEM Certificate + Key to PFX
This is probably the most common conversion I do. You have separate .crt and .key files (typical Nginx/Apache setup) and need a single PFX for IIS or Azure.
openssl pkcs12 -export \
-in certificate.crt \
-inkey private.key \
-out certificate.pfx \
-name "my certificate"
OpenSSL will ask you for an export password. You must set one — IIS requires it during import. If you want an empty password (not recommended), just hit Enter twice.
If you also have intermediate certificates to include in the chain:
openssl pkcs12 -export \
-in certificate.crt \
-inkey private.key \
-certfile ca-bundle.crt \
-out certificate.pfx \
-name "my certificate"
The -name flag sets a friendly name that shows up in Windows Certificate Manager. It doesn’t affect functionality, but it’s helpful when you have multiple certs and need to identify them.
PFX to PEM
Going the other way — extracting certificates and keys from a PFX file.
Extract just the certificate (no private key):
openssl pkcs12 -in certificate.pfx -nokeys -out certificate.pem
Extract just the private key (no certificate):
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out private.key
The -nodes flag means “no DES encryption” — it outputs the private key unencrypted. Without it, OpenSSL will ask you to set a password for the key file. Most servers expect unencrypted keys, so -nodes is usually what you want.
Extract everything into one file:
openssl pkcs12 -in certificate.pfx -nodes -out everything.pem
That file will contain the private key, certificate, and any CA certificates that were in the PFX, all as PEM blocks. You can then split them manually or use individual commands to extract specific pieces.
Dealing With OpenSSL 3.x and Legacy PFX Files
If you’re on OpenSSL 3.x and trying to import an older PFX file (especially ones generated by Windows or older Java tools), you might see errors like:
Error outputting keys and certificates
40E7B1A9B67F0000:error:0308010C:digital envelope routines:inner_evp_generic_fetch:unsupported
This happens because OpenSSL 3.x deprecated older algorithms that older PFX files use. Fix it by adding the legacy provider flag:
openssl pkcs12 -legacy -in certificate.pfx -nodes -out certificate.pem
PEM to PKCS#7 (P7B)
openssl crl2pkcs7 -nocrl -certfile certificate.crt -out certificate.p7b
If you want to include intermediate certs:
openssl crl2pkcs7 -nocrl \
-certfile certificate.crt \
-certfile intermediate.crt \
-out certificate.p7b
PKCS#7 to PEM
openssl pkcs7 -in certificate.p7b -print_certs -out certificate.pem
This extracts all certificates from the P7B into a single PEM file.
Converting a Private Key from PKCS#8 to Traditional RSA Format
Sometimes you’ll encounter a private key that starts with —–BEGIN PRIVATE KEY—– (PKCS#8 format) but your server expects —–BEGIN RSA PRIVATE KEY—– (traditional format). Nginx older versions particularly care about this.
openssl rsa -in private_pkcs8.key -out private_rsa.key
Going the other direction (traditional to PKCS#8):
openssl pkcs8 -topk8 -in private_rsa.key -nocrypt -out private_pkcs8.key
Verifying That Certificate and Key Match
Before installing anything, always verify that the certificate and the private key belong together. A mismatch causes immediate server startup failures, and it’s a common mistake when managing multiple certificates.
# These two commands should produce identical output
openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in private.key | openssl md5
If the MD5 hashes match, the certificate and key are a pair. If they differ, you have the wrong key for that certificate. For a structured view, paste the certificate into our Certificate Decoder — it extracts subject, issuer, fingerprint, and extensions without needing OpenSSL on your machine.
Checking Certificate Details Before Deployment
# View certificate details (expiry, subject, SANs)
openssl x509 -in certificate.crt -text -noout
# Just the expiry date
openssl x509 -in certificate.crt -noout -dates
# Just the subject (domain info)
openssl x509 -in certificate.crt -noout -subject
# Just the issuer (CA info)
openssl x509 -in certificate.crt -noout -issuer
Once deployed, confirm the live server is serving the right certificate with the SSL Certificate Checker — enter any domain and get the full TLS handshake results including days remaining, SANs, and fingerprint.
Batch Converting Multiple Certificates
When you need to convert a directory full of PEM certificates to DER:
for f in *.pem; do
openssl x509 -in "$f" -outform DER -out "${f%.pem}.der"
done
Or PFX files to PEM:
for f in *.pfx; do
openssl pkcs12 -in "$f" -nodes -out "${f%.pfx}.pem" -passin pass:YourPassword
done
Replace YourPassword with the actual PFX password. The -passin flag avoids interactive prompts which is what you want in scripts.
Creating a Full Chain Bundle for Nginx
Nginx expects a single file containing your certificate followed by intermediate certificates. If your CA sent you separate files:
cat certificate.crt intermediate.crt root.crt > fullchain.pem
The order matters — domain certificate first, then intermediates in order up to (but typically not including) the root CA. Most browsers have root CAs pre-installed, so including the root is usually unnecessary, though it doesn’t break anything.
These commands cover the vast majority of real-world certificate conversion scenarios. The key thing to remember is that the data itself doesn’t change between formats — you’re just changing the encoding or packaging. The public key, the domain it’s bound to, and the expiry date are all identical no matter which format you’re looking at.