Certificate File Formats: PEM, DER, PKCS#12, and PFX Explained

A developer's guide to SSL certificate file formats. How to identify, convert between, and use PEM, DER, PKCS#12 (.p12/.pfx), PKCS#7, and JKS files.

Why So Many Formats?

SSL certificates are just data -- a public key, identity information, a signature. But different systems expect that data in different containers. The certificate is the same; the packaging changes.

Here's what you'll encounter and when.

PEM (Privacy Enhanced Mail)

File extensions: .pem, .crt, .cer, .key

The most common format. It's Base64-encoded DER with header and footer lines.

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJALMFxYvGRlz5MA0GCSqGSIb3DqEBCwUAMEUxCzAJBgNV
BAYTAlVTMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
... (base64 data) ...
-----END CERTIFICATE-----

Used by: nginx, Apache, most Linux tools, Python, Node.js, Go

Key facts: - Human-readable (you can open it in a text editor) - Can contain multiple certificates (just concatenate them for a chain file) - Private keys use -----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- - CSRs use -----BEGIN CERTIFICATE REQUEST-----

When you generate a certificate at getaCert.com, the .pem file is this format.

DER (Distinguished Encoding Rules)

File extensions: .der, .cer, .crt

Binary format. The raw ASN.1 data without Base64 encoding.

Used by: Java, Windows, some embedded systems

Key facts: - Not human-readable (binary) - Can only contain a single certificate (no chaining) - Smaller than PEM (no Base64 overhead) - Windows often defaults to DER when you double-click a .cer file

PKCS#12 / PFX

File extensions: .p12, .pfx

A binary container that bundles the certificate, private key, and optionally the CA chain into a single password-protected file.

Used by: Windows/IIS, Java keystores, macOS Keychain, browser imports

Key facts: - Password-protected (the private key is encrypted inside) - Contains everything in one file -- convenient for distribution - .pfx and .p12 are the same format (PFX is Microsoft's name for it) - getaCert.com provides .p12 downloads with every certificate

PKCS#7 / P7B

File extensions: .p7b, .p7c

Contains certificates and chain certificates but not the private key. Base64-encoded.

-----BEGIN PKCS7-----
... (base64 data) ...
-----END PKCS7-----

Used by: Windows, Java, certificate chain distribution

Key facts: - No private key -- just certificates - Can contain the full chain (leaf + intermediates + root) - Common when downloading certificates from CAs like DigiCert or Sectigo

JKS (Java KeyStore)

File extensions: .jks, .keystore

Java's proprietary keystore format. Password-protected, contains certificates and private keys.

Used by: Java applications (Tomcat, Spring Boot, Android)

Key facts: - Being replaced by PKCS#12 (Java 9+ defaults to PKCS#12 keystores) - Managed with the keytool command - If you're starting a new project, use PKCS#12 instead

Converting Between Formats

PEM to DER

openssl x509 -in cert.pem -outform DER -out cert.der

DER to PEM

openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem

PEM to PKCS#12

Bundle your cert and key into a .p12 file:

openssl pkcs12 -export -out cert.p12 \
    -inkey private.key \
    -in cert.pem \
    -certfile chain.pem

PKCS#12 to PEM

Extract everything from a .p12 file:

# Certificate only
openssl pkcs12 -in cert.p12 -clcerts -nokeys -out cert.pem

# Private key only
openssl pkcs12 -in cert.p12 -nocerts -nodes -out key.pem

# CA chain only
openssl pkcs12 -in cert.p12 -cacerts -nokeys -out chain.pem

PEM to PKCS#7

openssl crl2pkcs7 -nocrl -certfile cert.pem -certfile chain.pem -out cert.p7b

PKCS#7 to PEM

openssl pkcs7 -in cert.p7b -print_certs -out certs.pem

PKCS#12 to JKS

keytool -importkeystore \
    -srckeystore cert.p12 -srcstoretype PKCS12 \
    -destkeystore keystore.jks -deststoretype JKS

How to Identify a File's Format

Not sure what format your certificate file is? Try these:

# Check if it's PEM (text file with headers)
head -1 cert.pem
# Shows: -----BEGIN CERTIFICATE-----

# Try to read as PEM
openssl x509 -in mystery.crt -text -noout

# If that fails, try DER
openssl x509 -in mystery.crt -inform DER -text -noout

# Try PKCS#12
openssl pkcs12 -in mystery.p12 -info

# Try PKCS#7
openssl pkcs7 -in mystery.p7b -print_certs

Or paste the certificate contents into our decoder -- it handles PEM format automatically.

Quick Reference

Format Binary? Contains Key? Password? Primary Use
PEM No Separate file No Linux, nginx, Apache
DER Yes Separate file No Java, Windows
PKCS#12 Yes Yes Yes Windows, Java, distribution
PKCS#7 No No No Chain distribution
JKS Yes Yes Yes Legacy Java

Next Steps

More in Learn
How TLS/SSL Certificates Work

A practical guide to TLS certificates: the handshake, certificate chains, public/private keys, and what's actually inside a certificate.
Certificate Types Explained: DV, OV, EV, Self-Signed, and Wildcard

Understand the differences between DV, OV, EV, self-signed, wildcard, and SAN certificates -- when to use each, what they cost, and how trust works.
RSA vs ECDSA vs Ed25519: Choosing the Right Key Type

A practical comparison of RSA 2048, RSA 4096, ECDSA P-256, ECDSA P-384, and Ed25519 -- performance, security, compatibility, and when to use each.
Self-Signed vs CA-Signed Certificates: When to Use Each

Understand the difference between self-signed and CA-signed SSL certificates. Learn when self-signed certs are the right choice and when you need a certificate authority.
Certificate File Formats: PEM, DER, PKCS#12, and PFX Explained

A developer's guide to SSL certificate file formats. How to identify, convert between, and use PEM, DER, PKCS#12 (.p12/.pfx), PKCS#7, and JKS files.
S/MIME Email Encryption: How to Sign and Encrypt Email

How to use S/MIME certificates to digitally sign and encrypt emails. Covers Outlook, Apple Mail, Thunderbird, and Gmail setup with step-by-step instructions.
On This Page
Try It Yourself

Generate real certificates right now — no signup required.

Self-Signed CA-Signed
Resources