All Products
Search
Document Center

:Convert certificates to PEM format

Last Updated:May 29, 2026

Anti-DDoS Pro and Anti-DDoS Premium require SSL/TLS certificates in PEM format. Convert your CER, CRT, PFX, P7B, or DER certificates to PEM using the methods below.

Quick reference

Supported conversion types and required tools:

Source format Tool required Method
CER/CRT (PEM-encoded) None Rename the file extension to .pem
PFX (PKCS#12) OpenSSL Extract the certificate and private key with openssl pkcs12
P7B (PKCS#7) OpenSSL Convert with openssl pkcs7, then clean up and rename
DER OpenSSL Convert with openssl x509 and openssl rsa

Prerequisites

Ensure the following:

  • OpenSSL installed on your local machine

  • The certificate file you want to convert

  • The certificate file password (if applicable, for example PFX files)

PEM format overview

PEM stores certificate data as Base64-encoded text between header and footer lines:

-----BEGIN CERTIFICATE-----
Base64-encoded certificate data
-----END CERTIFICATE-----

PEM files typically use the .pem extension.

Convert CER or CRT certificates

CER and CRT files are typically PEM-encoded. If so, rename the extension to .pem.

For example, rename server.crt to server.pem.

On Windows, .cer files are often DER-encoded (binary). If renaming fails, follow Convert DER certificates.

Convert PFX (PKCS#12) certificates

PFX (PKCS#12) is a binary format that bundles the certificate and private key into one file. It is commonly used on Windows servers.

Extract the private key

openssl pkcs12 -in <cert-name>.pfx -nocerts -out key.pem -nodes
Parameter Description
<cert-name>.pfx The PFX certificate file to convert
key.pem The output private key file

Extract the certificate

openssl pkcs12 -in <cert-name>.pfx -nokeys -out cert.pem
Parameter Description
<cert-name>.pfx The PFX certificate file to convert
cert.pem The output certificate file

Extract both the certificate and private key

openssl pkcs12 -in <cert-name>.pfx -nodes -out all.pem
Parameter Description
<cert-name>.pfx The PFX certificate file to convert
all.pem A single file that contains both the certificate and private key
OpenSSL prompts for the PFX password during conversion. Enter the password set when the PFX file was created.

Convert P7B (PKCS#7) certificates

P7B (PKCS#7) is a format used on Windows servers and Apache Tomcat. P7B files contain the certificate and certificate chain but not the private key.

  1. Convert the P7B file to a CER file:

    Parameter Description
    <cert-name>.p7b The P7B certificate file to convert
    <cert-name>.cer The output certificate file
       openssl pkcs7 -print_certs -in <cert-name>.p7b -out <cert-name>.cer
  2. Open the CER file in a text editor and keep only the content between the certificate markers:

       -----BEGIN CERTIFICATE-----
       MIIE5zCCA8+gAwIBAgIQN+whYc2BgzAogau0dc3PtzANBgkqh......
       -----END CERTIFICATE-----
  3. Save the file with a .pem file extension.

Convert DER certificates

DER is a binary-encoded certificate format commonly used on Java platforms.

Convert a DER-encoded certificate

openssl x509 -inform der -in certificate.der -out certificate.pem
Parameter Description
certificate.der The DER-encoded certificate file
certificate.pem The output PEM certificate file

Convert a DER-encoded private key

openssl rsa -inform DER -outform PEM -in privatekey.der -out privatekey.pem
Parameter Description
privatekey.der The DER-encoded private key file
privatekey.pem The output PEM private key file
Replace the file names in these commands with your actual file names.

References

Applicable products

  • Anti-DDoS Pro or Anti-DDoS Premium

  • SSL Certificates Service