SSL Certificate Types Explained: PEM, DER, PKCS12, and More

SSL Certificate Formats

SSL/TLS certificates can be stored in several different file formats. Understanding the differences is essential when configuring web servers, load balancers, and application servers. The same certificate can exist in multiple formats — they contain the same information, just encoded differently.

PEM Format

PEM (Privacy Enhanced Mail) is the most common certificate format on Linux and Unix systems. It is Base64 encoded DER data wrapped between header and footer lines.

-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIQCjeHZIR4...
(Base64 encoded data)
-----END CERTIFICATE-----

• File extensions: .pem, .crt, .cer, .key
• Used by: Nginx, Apache, Node.js, OpenSSL, Let's Encrypt
• Human readable: Yes (Base64 text)
• Can contain multiple certificates in one file (certificate chain)

DER Format

DER (Distinguished Encoding Rules) is the binary encoding of a certificate. PEM is just DER data that has been Base64 encoded.

• File extensions: .der, .cer
• Used by: Java applications, Android, Windows (sometimes)
• Human readable: No (binary)
• Smaller file size than PEM

PKCS#12 / PFX Format

PKCS#12 (PFX) is an archive format that can store a certificate, its private key, and the entire certificate chain in a single password-protected file.

• File extensions: .pfx, .p12
• Used by: Windows IIS, Azure, AWS, Java keystores
• Password protected: Yes
• Contains: Certificate + private key + chain (all in one file)

PKCS#8 Format

PKCS#8 is a standard syntax for storing private key information. It can store RSA, DSA, EC, and other key types, optionally encrypted with a passphrase.

-----BEGIN PRIVATE KEY-----        (unencrypted)
-----BEGIN ENCRYPTED PRIVATE KEY-- (encrypted)
-----END PRIVATE KEY-----

Format Conversion Commands