Why multiple certificate formats exist
When a CA delivers your SSL certificate you might receive files named .crt, .pem, .pfx, .p12, .der, or .p7b. These are not different certificate types — they are different encodings of the same underlying data. The certificate itself (the public key, subject, validity period, and CA signature) is identical in every format — it's the same X.509 certificate structure regardless of the container it's stored in.
The variety traces back to two separate ecosystems that grew in parallel during the 1990s. The Unix/Linux/OpenSSL world favored plain-text PEM files — easy to inspect, copy, and concatenate. Microsoft's Windows and IIS stack developed the PFX container to bundle the certificate and private key together for GUI-driven import. Java created its own JKS keystore on top of that, and P7B emerged from Windows' need to distribute certificate chains without exposing the private key.
Choosing the wrong format rarely produces a clear error. IIS will say "the password is incorrect." Nginx will report "no certificate or ciphers." Apache will fail silently on startup. This guide explains each format, which server wants it, and how to convert between them using OpenSSL — or the My-SSL Certificate Converter if you prefer a browser tool.
PEM format
PEM (Privacy Enhanced Mail — the email use never shipped, but the name stuck) is the most common SSL certificate format in use today. PEM files are plain ASCII text: they contain Base64-encoded DER data wrapped between -----BEGIN …----- and -----END …----- marker lines.
A certificate in PEM format looks like this:
-----BEGIN CERTIFICATE----- MIIFazCCA1OgAwIBAgIRAIIQz7DSQONZRGPgu2OCiwAwDQYJKoZIhvcNAQELBQAw TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh ... (Base64-encoded data) -----END CERTIFICATE-----
A private key uses a different header/footer pair:
-----BEGIN PRIVATE KEY----- MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7o4qne60TBOU3 ... -----END PRIVATE KEY-----
A single PEM file can contain multiple objects. Nginx and Apache both accept a chained PEM — the end-entity certificate followed immediately by the intermediate CA certificate(s) — as a single file for their ssl_certificate / SSLCertificateFile directive.
| Property | Value |
|---|---|
| Encoding | Base64 text |
| Common extensions | .pem, .crt, .cer, .key, .ca-bundle |
| Can contain | Certificate, private key, CA chain, or all three in one file |
| Human-readable? | Yes — open in any text editor |
| Password-protected? | Private key only (optional) |
| Used by | Nginx, Apache, cPanel, Plesk, DirectAdmin, OpenSSL, most Linux-based tooling |
DER format
DER (Distinguished Encoding Rules) is the binary form of the same ASN.1 data that PEM encodes as Base64 text. The certificate content is identical; DER simply skips the text-encoding step, producing a slightly more compact file.
DER files appear as binary data in any text editor — they cannot be meaningfully read as text. The most common use cases today are:
- Java applications that import certificates programmatically via
CertificateFactory.getInstance("X.509") - Older Windows environments using the Certificate MMC snap-in
- Mobile device management (MDM) systems that push certificates to devices
- Embedded or constrained systems where the absence of Base64 encoding saves a small amount of storage
File extensions don't tell you the encoding. A .cer file on Windows may be either PEM or DER. To confirm: run openssl x509 -in file.cer -text -noout. If that fails, add -inform der and try again. A text editor is even quicker — PEM starts with -----BEGIN; DER starts with binary noise.
| Property | Value |
|---|---|
| Encoding | Binary (raw ASN.1 DER) |
| Common extensions | .der, .cer (sometimes) |
| Can contain | One certificate (no private key) |
| Human-readable? | No — binary format |
| Used by | Java apps (programmatic import), older Windows MMC, MDM systems |
PFX / PKCS#12 format
PFX and PKCS#12 (.p12) are the same format with two names. Microsoft coined "PFX" (Personal Exchange Format) in the late 1990s; the PKCS standard later adopted it as PKCS#12. The two file extensions are completely interchangeable — renaming certificate.pfx to certificate.p12 does not change the file in any way.
What makes PFX/PKCS#12 unique is that it is a password-protected container: it bundles the end-entity certificate, the full CA chain (all intermediate certificates), and the private key into a single binary file. IIS requires this format because its certificate import wizard handles the private key through the PFX container rather than managing separate files.
PFX files contain your private key. Treat them with the same care as a bare .key file. Never transmit them over unencrypted channels, never commit them to version control, and always protect them with a strong password when creating or transferring them.
Apache Tomcat uses a PKCS#12 keystore that is functionally identical to a PFX file — the same openssl pkcs12 -export command generates it. For the full Tomcat setup, see the Apache Tomcat SSL installation guide.
| Property | Value |
|---|---|
| Encoding | Binary container |
| Common extensions | .pfx, .p12 |
| Can contain | Certificate + private key + full CA chain — all in one file |
| Password-protected? | Yes — always encrypted |
| Used by | IIS (Windows Server), Apache Tomcat (PKCS#12 keystore), Azure App Service, Exchange Server, code-signing workflows |
P7B / PKCS#7 format
P7B (also known as PKCS#7 or CMS) is a container that holds one or more certificates — but never a private key. That makes it safe to distribute publicly and is why some CAs use it for delivering the CA bundle, and why Windows uses it when you need to import an intermediate certificate without exposing any key material.
P7B files look similar to PEM but with different headers:
-----BEGIN PKCS7----- MIIHggYJKoZIhvcNAQcCoIIHczCCB28CAQExADALBgkqhkiG9w0BBwGgggdTMIID ... -----END PKCS7-----
IIS's "Complete Certificate Request" wizard requires a PFX — P7B is only useful for adding trusted root or intermediate CAs to the Windows certificate store via MMC or the certutil command. Java trust stores can also import P7B files using keytool.
| Property | Value |
|---|---|
| Encoding | Base64 text (or binary DER variant) |
| Common extensions | .p7b, .p7c |
| Can contain | One or more certificates — no private key |
| Password-protected? | No |
| Used by | Windows Certificate MMC (chain import), IIS (CA trust store), Java trust stores, some CA chain delivery packages |
Which format each server needs
The table below shows what every major server platform expects and what files you need to supply at install time.
| Server / Platform | Format | Files to provide |
|---|---|---|
| Nginx | PEM | certificate.crt (+ chain), private.key |
| Apache HTTP Server | PEM | certificate.crt, private.key, ca-bundle.crt |
| IIS 10 (Windows Server) | PFX / PKCS#12 | certificate.pfx (key + chain bundled) |
| Apache Tomcat | PKCS#12 keystore | keystore.p12 (openssl pkcs12 export) |
| GlassFish / Payara | PKCS#12 or JKS | keystore.p12 (keytool import) |
| cPanel | PEM (paste text) | certificate.crt, private.key, ca-bundle.crt |
| Plesk | PEM (paste text) | certificate.crt, private.key, ca-bundle.crt |
| DirectAdmin | PEM (paste text) | certificate.crt, private.key, ca-bundle.crt |
| Windows certmgr / MMC | PFX (with key) or P7B (chain only) | certificate.pfx for full import; .p7b for chain-only |
If your CA delivered files in a format your server doesn't accept, use the OpenSSL commands below. Alternatively, My-SSL's free Certificate Converter handles all common conversions in your browser — no OpenSSL installation needed.
Converting between formats with OpenSSL
OpenSSL handles every common format conversion. The commands below use OpenSSL 3.x syntax, available on Ubuntu 22.04+, Debian 12+, Rocky/AlmaLinux 9+, and macOS 14+. On systems with OpenSSL 1.x the commands are identical unless noted.
PEM → DER
openssl x509 -in certificate.crt -outform der -out certificate.der
DER → PEM
openssl x509 -in certificate.der -inform der -out certificate.crt
PEM → PFX / PKCS#12
This bundles the certificate, private key, and CA chain into one password-protected file. OpenSSL will prompt for an export password.
openssl pkcs12 -export \ -in certificate.crt \ -inkey private.key \ -certfile ca-bundle.crt \ -out certificate.pfx
OpenSSL 3.x compatibility note. OpenSSL 3 defaults to AES-256-CBC encryption, which Windows Server 2016 and some older Java versions cannot import. If IIS rejects your PFX, add -legacy -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES to use the older cipher suite.
PFX → PEM (extract certificate)
openssl pkcs12 -in certificate.pfx -nokeys -out certificate.crt
PFX → PEM (extract private key)
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out private.key
The -nodes flag removes the passphrase from the extracted key so your server can load it without a password prompt. Lock down the resulting file immediately: chmod 600 private.key.
PEM → P7B / PKCS#7
openssl crl2pkcs7 -nocrl \ -certfile certificate.crt \ -certfile ca-bundle.crt \ -out certificate.p7b
P7B → PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt
Outputs all certificates in the P7B as a concatenated PEM chain. P7B files cannot contain a private key, so no key is extracted.
P7B → PFX (two steps)
There is no direct P7B-to-PFX path in OpenSSL. Convert via PEM first:
# Step 1 — P7B to PEM openssl pkcs7 -print_certs -in certificate.p7b -out certificate.crt # Step 2 — PEM + private key to PFX openssl pkcs12 -export \ -in certificate.crt \ -inkey private.key \ -out certificate.pfx
Verifying your conversion
After converting, always verify the output before deploying. Use these commands to inspect each format and confirm the certificate and key match.
Inspect a PEM certificate
openssl x509 -in certificate.crt -text -noout
Inspect a DER certificate
openssl x509 -in certificate.der -inform der -text -noout
Inspect a PFX file
openssl pkcs12 -info -in certificate.pfx
Lists the certificate subjects and whether a private key is present. You will be prompted for the PFX password.
Verify the certificate and private key match
A mismatched key is the most common cause of post-conversion errors. Both commands must produce the same MD5 hash:
# Hash of the public key embedded in the certificate openssl x509 -noout -modulus -in certificate.crt | openssl md5 # Hash of the public key from the private key file openssl rsa -noout -modulus -in private.key | openssl md5 # Both must print the same value
For ECDSA keys, replace openssl rsa -noout -modulus with openssl ec -noout -pubout and compare the PEM output directly.
Troubleshooting
openssl pkcs12: Error outputting keys and certificates
Wrong PFX password. Re-run and enter the correct password when prompted. If you do not know the password the PFX cannot be decrypted — you will need to regenerate the certificate and create a new PFX.
IIS import fails: 'The password you entered is incorrect'
IIS requires the PFX to have a non-empty password. When openssl pkcs12 -export prompts for an export password, set one. An empty (blank) password causes this error.
PFX imported in IIS but browser still shows certificate error or incomplete chain
The CA chain was not included when the PFX was built. Rebuild with -certfile ca-bundle.crt added to the openssl pkcs12 -export command, then delete and re-import the certificate binding in IIS.
openssl pkcs12: Unknown PBE algorithm — or IIS / Java rejects an OpenSSL 3.x PFX
OpenSSL 3.x defaults to AES-256-CBC encryption which older Windows Server or Java versions do not support. Add -legacy -keypbe PBE-SHA1-3DES -certpbe PBE-SHA1-3DES when exporting to use the backward-compatible cipher suite.
nginx: [emerg] SSL_CTX_use_certificate_file() failed — no certificate or ciphers
Nginx received a binary (DER or PFX) file instead of PEM. Convert to PEM first and confirm the file starts with -----BEGIN CERTIFICATE-----.
Certificate and private key do not match
The MD5 modulus hashes differ. You used the wrong .key file or extracted the wrong object from the PFX. Recheck which CSR was submitted to the CA and locate the private key generated at the same time.
Related tools and guides
Need to convert right now? My-SSL's free Certificate Converter handles PEM ↔ PFX ↔ DER ↔ P7B in your browser — no software to install and nothing is uploaded to any server.