18/52

CertificatesIntermediate

Certificate File Formats

Understand certificate formats: PEM, DER, PFX/P12, JKS. Learn when to use each and how to convert between them.

Interactive Demo

Certificate File Formats (PEM/DER/PFX/P7B)Cert Formats (PEM/DER/PFX/P7B)

Understand certificate encodings and how to convert between them

Step 0 of 4

Select a format to see conversion options

Format Comparison

PEM

Encoding: Base64 (ASCII)

Extensions: .pem .crt .cer .key

Contains: Single cert or key

Readable: ✓ Yes (notepad)

Use: Linux/Apache/Nginx

-----BEGIN CERTIFICATE-----
MIIDrzCCApegAwIBAgIQCDvg
... Base64 data ...
-----END CERTIFICATE-----

DER

Encoding: Binary

Extensions: .der .cer

Contains: Single cert

Readable: ✗ No (gibberish)

Use: Java/Windows

30 82 03 7a 30 82 02 62
a0 03 02 01 02 02 10 08
... binary hex ...

PFX/P12

Encoding: Binary (encrypted)

Extensions: .pfx .p12

Contains: Cert + Key + Chain!

Readable: ✗ No

Use: Windows/IIS/Export

Password Protected

cert

key

chain

P7B/PKCS#7

Encoding: Base64 or Binary

Extensions: .p7b .p7c

Contains: Certs only (NO keys)

Readable: Depends

Use: Chain bundles

Root CA

↓

Intermediate

↓

Leaf Cert

Quick Tip:Click on any format above to learn more about it and see all related content highlighted throughout this demo. Most certificate problems are simply format mismatches!

Conversion Paths

From PEM, I need...

DER:openssl x509 -outform DER

PFX:openssl pkcs12 -export(need key!)

P7B:openssl crl2pkcs7

From DER, I need...

PEM:openssl x509 -inform DER -outform PEM

PFX:Convert to PEM first(need key!)

P7B:Convert via PEM

From PFX, extract...

Cert (PEM):-clcerts -nokeys

Key (PEM):-nocerts -nodes

Chain:-cacerts -nokeys

From P7B, extract...

PEM certs:openssl pkcs7 -print_certs

⚠️ No private key in P7B - get key separately!

Which Format Do I Need?

Apache/Nginx

PEM(.crt + .key files)

IIS/Windows

PFX(with password)

Java/Tomcat

DER(or keystore)

Share Chain

P7B(no key exposed)

Trust Store

DER or PEM(varies by OS)

Secure Backup

PFX(encrypted)

Common Errors & Fixes

error:0906D06C:PEM routines:PEM_read_bio:no start line

Cause: OpenSSL expected PEM format but file is binary (DER) or corrupted

Fix: Convert DER to PEM: openssl x509 -inform DER -in cert.der -out cert.pem

unable to load certificate

Cause: File has wrong encoding, extra whitespace, or mixed line endings (Windows CRLF vs Unix LF)

Fix: Check file with cat -A cert.pem and fix line endings with dos2unix cert.pem

expecting: TRUSTED CERTIFICATE

Cause: OpenSSL wants a specific PEM header type that doesn't match

Fix: Check header - should be -----BEGIN CERTIFICATE----- not -----BEGIN X509 CERTIFICATE-----

error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag

Cause: File is PEM-encoded but you're trying to read it as DER binary

Fix: Remove -inform DER flag or convert: openssl x509 -in cert.pem -outform DER -out cert.der

Java: java.io.IOException: DerInputStream.getLength(): lengthTag=109

Cause: Java keystore received PEM file instead of DER binary

Fix: Convert to DER first, then import into keystore

Mac verify error: invalid password?

Cause: Wrong password, or PFX was created with different encryption (legacy vs modern)

Fix: Try legacy mode: openssl pkcs12 -in cert.pfx -legacy (OpenSSL 3.0+)

No certificate matches private key

Cause: When creating PFX, the cert and key files don't form a matching pair

Fix: Verify modulus matches (see commands below) - they must be identical

Windows: The PFX file you selected is not valid

Cause: PFX created with newer encryption that Windows can't read, or file is corrupted

Fix: Re-export with legacy encryption: openssl pkcs12 -export -legacy -out new.pfx ...

IIS: A specified logon session does not exist

Cause: Private key permissions issue or key not marked as exportable

Fix: Re-import PFX with "Mark key as exportable" checked, run as Administrator

unable to load PKCS7 object

Cause: File might be DER-encoded P7B, not PEM

Fix: Add -inform DER: openssl pkcs7 -inform DER -in chain.p7b -print_certs

no certificates found in P7B

Cause: P7B file is empty or contains only CRLs (Certificate Revocation Lists)

Fix: Request correct bundle from CA - P7B should contain intermediate + root certs

Pro tip: Select a format above to see specific errors and troubleshooting tips for that format.

Command Reference (OpenSSL + Windows)

PEM (text-friendly)

DER (binary)

PFX (secure container)

P7B (chain bundle)

Want to learn more?

Read our comprehensive guide covering PEM, DER, PFX, and P7B formats with complete conversion command reference.

Read the Complete Guide

Continue Learning

Certificate LifecyclePrev View All Demos PKCS#12 / PFXNext

View All Demos