(SSL)How to convert .der file to .cer file?
I followed How To: DER vs CRT vs CER vs PEM Certificates and How to Convert Them, wanting to understand how to set up SSL, but I cannot find a good reference for it.
On my server, I have paid certificates, not self-signed ones, and I want to enable SSL in my apache2 server; within 000-default.conf, I need to insert the .cer file path:
SSLCertificateFile /ets/ssl/example.pl.crt
SSLCertificateKeyFile /etc/ssl/example.keyAs I understand it, .der is an encrypted .cer file; should I convert a .der to .cer, or is my thinking wrong?
1 Answer
Futuire visitors: Note that although all X.509 certificates are DER, not all DER files are X.509 – plenty of other non-certificate things use DER as well. This thread is strictly about X.509 certificates and not about any other data type.
X.509 certificates are always in DER format, but they're generally stored in two ways:
- Raw binary DER (usual extensions:
.der,.cer) - Textual, Base64-encoded DER, sometimes called "PEM" (usual extensions:
.crt,.pem)
Note that the extensions aren't really set in stone – .cer might be textual, .crt might be binary, and so on. You have to actually look inside.
(There is no encryption involved; the certificate is public information.)
To convert one certificate from binary to textual format, you can use:
openssl x509 -in mycert.der -inform DER -out mycert.pem
# both -inform and -outform default to "PEM" if not specified otherwiseOr since it's just Base64,
(echo "-----BEGIN CERTIFICATE-----"; base64 < mycert.der; echo "-----END CERTIFICATE-----") > mycert.pemHowever, whichever way you use, don't forget to add the certificate chain (the "issuer" or "intermediate" certs obtained from your CA) to the same PEM file. Most software expects it all in a single file, although Apache used to use a separate SSLCertificateChainFile option in v2.2.x.
3
