1. Introduction

Certificates are a way to verify the identity of a given entity. They can also be used for both confidentiality and integrity. Because of these important features, certificates are part of many systems and different toolsets can generate them. Thus, we may end up with certificates for different purposes and in different formats.

In this tutorial, we talk about standard ways to convert between two of the most common certificate formats: .cer and .crt. First, we look at one of the main base standards for certificate formatting. Next, we explore a basic improvement to that format. After that, we turn to different file extensions for certificate files. Finally, we check ways to convert between different certificate encodings.

We tested the code in this tutorial on Debian 12 (Bookworm) with GNU Bash 5.2.15. It should work in most POSIX-compliant environments unless otherwise specified.

2. ASN.1 (Abstract Syntax Notation 1)

As defined by X.680: Information technology – Abstract Syntax Notation One (ASN.1), ASN.1 (Abstract Syntax Notation 1) is a standard language for interface description that can define data structures for serialization and deserialization.

ASN.1 structures can be encoded in different ways, as specified by X.690: Information technology – ASN.1 encoding rules:

  • BER (Basic Encoding Rules): most flexible and broad, providing different ways to do so
  • CER (Canonical Encoding Rules): more conservative variant of BER, selecting just one encoding
  • DER (Distinguished Encoding Rules): more conservative variant of BER that also drops one option

Each of these possibilities converts the output to binary data. This is critical, as decoders may only be able to handle one or another format.

3. PEM (Privacy-Enhanced Mail) Certificates

The Privacy-Enhanced Mail (PEM) format can store different types of data such as keys and certificates. Its main feature is the data encoding, which makes binary data from BER, CER, DER, and similar formats more easily transferable.

In practice, PEM achieves this in a fairly simple manner:

  • encode data in Base64
  • surround data with a —–BEGIN <LABEL>—– header and —–END <LABEL>—– footer

Here, LABEL can reference the actual data type such as PRIVATE KEY, CERTIFICATE, and similar.

Often, PEM keys have the .key suffix. On the other hand, common extensions for PEM certificate files include .pem, .cer, and .crt.

4. .cer and .crt Files

Critically, as the case often is in Linux, the extension doesn’t guarantee a file and data type.

Still, two very common certificate file suffixes are .cer and .crt. Both adhere to the X.509 standard as defined by RFC 5280 – Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.

The .cer extension usually indicates X.509 certificates in one of two forms:

  • binary
  • Base64 with header and footer

Either way, CER can store owner, public key, certificates, and more:

$ cat sni.cloudflaressl.com.cer

In this case, we see the Baeldung.com SSL certificate as acquired through a Web browser. It uses the Base64 format.

Yet, this can be a .cer or .crt file, as the same characteristics apply to both. Furthermore, there are a number of other certificate extensions:

  • .pfx.p12 are often in the Microsoft PFX Personal Information Exchange format (PKCS #12)
  • .p7b.p7r.spc uses the Cryptographic Message Syntax (CMS) format
  • .der is usually DER-encoded
  • .crt is commonly Base64
  • .cer can be binary or Base64

So, what’s the difference between the last two?

In fact, apart from the extension, there is no difference between .crt and .cer files.

5. Convert Between .cer and .crt

Since extensions aren’t of much consequence in Linux, both .cer and .crt files can contain a certificate with any encoding. Moreover, even assuming we have a X.509 certificate, there are still different possible encodings.

Still, some software packages use only binary, others employ Base64, while still others can handle both. For example, Microsoft Windows can export either and uses the .cer extension.

So, let’s ways to convert between the binary and Base64 forms of the certificate.

5.1. Binary to Base64 Plain Text

OpenSSL understands X.509 via its x509 subcommand, but it exports Base64 by default. So, passing it a DER-encoded certificate as conversion input will produce PEM:

$ openssl x509 -in inputCertificateDER.cer -out outputCertificateBase64.crt
$ file --mime-type inputCertificateDER.cer
inputCertificateDER.cer: application/octet-stream
$ file --mime-type outputCertificateBase64.crt
outputCertificateBase64.crt: text/plain

As we can see, the openssl utility converted the binary [-in]put certificate to the given Base64 plain-text [-out]put format as verified by the file command.

Actually, we can be more explicit via the -outform output format option:

$ openssl x509 -in inputCertificateDER.cer -outform PEM -out outputCertificateBase64.crt

This way, we ensure the result is in Base64.

5.2. Base64 Plain Text to Binary

On the other hand, we can convert a PEM certificate to DER by also using the relevant -outform option:

$ openssl x509 -in inputCertificateBase64.crt -outform der -out outputCertificateDER.cer
$ file --mime-type inputCertificateBase64.crt
inputCertificateBase64.crt: text/plain
$ file --mime-type outputCertificateDER.cer
outputCertificateDER.cer: application/octet-stream

At this point, we have a binary DER output certificate.

Notably, there is no cer option and the file suffixes aren’t of consequence.

6. Summary

In this article, we looked at certificate formats and the .cer and .crt certificate suffixes.

In conclusion, although extensions aren’t usually relevant when it comes to certificates, we can still switch between different formats and use them as hints in the process.

Comments are closed on this article!