SSL certificates and private keys can be stored in several file formats. The content is the same — it’s the encoding and packaging that differs. Most confusion comes from needing a specific format for your server.
Format comparison
| Format | Extension | Encoding | Contains | Used by |
|---|---|---|---|---|
| PEM | .pem, .crt, .cer, .key | Base64 (text) | Cert, key, or chain (one per file) | Nginx, Apache, most Linux servers |
| DER | .der, .cer | Binary | Single cert or key | Java, some Windows apps |
| PFX/PKCS#12 | .pfx, .p12 | Binary | Cert + key + chain in one file | Windows IIS, Azure, macOS Keychain |
PEM — the most common format
PEM (Privacy Enhanced Mail) is base64-encoded text. You can open it in a text editor:
-----BEGIN CERTIFICATE-----
MIIFYjCCBEqgAwIBAgISA8ht...
(base64 encoded data)
-----END CERTIFICATE-----PEM files can contain certificates, private keys, or certificate chains. The header tells you what’s inside:
BEGIN CERTIFICATE— a certificateBEGIN PRIVATE KEY— a private key (orBEGIN RSA PRIVATE KEY/BEGIN EC PRIVATE KEY)BEGIN CERTIFICATE REQUEST— a CSR
GetHTTPS outputs PEM format — privkey.pem, cert.pem, chain.pem, fullchain.pem.
DER — binary encoding
DER is the binary form of the same data PEM encodes as text. It’s not human-readable. Used primarily by Java applications (keytool) and some Windows components.
PFX/PKCS#12 — bundled format
PFX (Personal Information Exchange) bundles the certificate, private key, and chain into a single password-protected file. Windows IIS, Azure App Service, and macOS Keychain require this format.
Converting between formats
All conversions use OpenSSL:
PEM → PFX
openssl pkcs12 -export \
-out certificate.pfx \
-inkey privkey.pem \
-in cert.pem \
-certfile chain.pemYou’ll be prompted to set an export password.
PFX → PEM
# Extract certificate
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out cert.pem
# Extract private key
openssl pkcs12 -in certificate.pfx -nocerts -nodes -out privkey.pem
# Extract chain
openssl pkcs12 -in certificate.pfx -cacerts -nokeys -out chain.pemPEM → DER
openssl x509 -in cert.pem -outform DER -out cert.derDER → PEM
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pemWhich format do I need?
| Server/Platform | Format | Files needed |
|---|---|---|
| Nginx | PEM | fullchain.pem + privkey.pem |
| Apache | PEM | cert.pem + chain.pem + privkey.pem |
| IIS (Windows) | PFX | certificate.pfx (convert from PEM) |
| Azure App Service | PFX | certificate.pfx |
| AWS (ACM) | PEM | cert.pem + chain.pem + privkey.pem (paste into console) |
| Java (Tomcat) | JKS or PFX | Convert PEM → PFX → JKS with keytool |
| Node.js | PEM | Read files directly in code |
How to identify a file’s format
Not sure what format a file is? Check:
# If it starts with "-----BEGIN" — it's PEM (base64 text)
head -1 mystery-file.pem
# If it's binary (garbled text) — it's DER or PFX
file mystery-file.cer
# Output like "data" or "certificate" = DER
# Output like "PKCS12" = PFX
# Inspect a PEM certificate
openssl x509 -in cert.pem -noout -text
# Inspect a DER certificate
openssl x509 -in cert.der -inform DER -noout -text
# Inspect a PFX file
openssl pkcs12 -in cert.pfx -info -nokeysCommon file extension confusion
| Extension | Usually means | But could be |
|---|---|---|
.pem | PEM (base64) | Always PEM |
.crt | PEM certificate | DER on Windows |
.cer | PEM certificate | DER on Windows |
.key | PEM private key | DER (rare) |
.pfx | PKCS#12 bundle | Always PFX |
.p12 | PKCS#12 bundle | Always PFX (same as .pfx) |
.der | DER (binary) | Always DER |
.jks | Java KeyStore | Always JKS |
Rule of thumb: Open the file in a text editor. If you see -----BEGIN CERTIFICATE-----, it’s PEM regardless of the extension. If you see binary garbage, it’s DER or PFX.
Frequently asked questions
What’s the difference between .crt, .cer, and .pem?
They can all be PEM format. The extension is a naming convention, not a format indicator. .crt and .cer are commonly used for certificate files, .pem for any PEM-encoded file. On Windows, .cer files are sometimes DER-encoded — open in a text editor to check.
Why does GetHTTPS give me 4 files?
Maximum compatibility. GetHTTPS provides: privkey.pem (private key), cert.pem (your certificate only), chain.pem (intermediate CA certificate), fullchain.pem (cert + chain combined). Nginx needs fullchain.pem; Apache needs separate cert.pem + chain.pem; IIS needs PFX (convert from PEM).
How do I create a PFX for Windows/IIS?
Use the OpenSSL PEM → PFX command above. You’ll need privkey.pem, cert.pem, and chain.pem from GetHTTPS. The resulting .pfx can be imported into IIS, Azure App Service, or macOS Keychain.
Can I convert from one format to another without the private key?
You can convert the certificate between PEM and DER without the private key. But creating a PFX requires the private key (it bundles cert + key together). If you’ve lost your private key, you need to generate a new certificate.
What format does Let’s Encrypt use?
Let’s Encrypt (via any ACME client including GetHTTPS) outputs PEM format. If you need a different format for your server, convert using the OpenSSL commands above.