https://www.sikich.com

SSL Certificate File Formats Explained

Von Peery

Oct 24 2025

3 min read

When working with SSL/TLS certificates, you’ll likely come across various file formats like .crt, .key, .pem, and more. With so many formats out there, it can get confusing understanding what each one is for and how they differ. In this post, we’ll break down the main SSL certificate file formats you’re likely to encounter.

.pem Format

PEM stands for Privacy Enhanced Mail, which was an early attempt at secure email that never really took off. However, the base64-encoded file format it used lived on. The .pem file can contain a variety of encryption data including the certificate itself, the public key, the private key, and even the certificate signing request.

On Apache servers, you’ll usually find just the public certificate stored in a .pem file in the /etc/ssl/certs directory. The private key lives separately in the /etc/ssl/private directory for security. The .pem files are basically just text files containing the base64-encoded certificate data defined in the X.509 standard.

.der Format

The .der format stands for Distinguished Encoding Rules. This is a binary format for encoding the same X.509 data as the text-based .pem files. You can convert between .pem and .der using OpenSSL tools. Windows often exports certificates in the .der format by default.

.csr Format

The .csr or Certificate Signing Request is typically encoded in the PKCS#10 format defined in RFC 2986. This file contains such details as domain name, organization, location, etc., and it’s this file that gets signed by the Certificate Authority to generate the final SSL certificate.

.pfx/.p12 Format

Microsoft introduced the .pfx or .p12 file format, which is a password-protected container for bundles that include both the private key and public certificate. The PKCS#12 format is now defined in RFC 7292. The container is encrypted, unlike the clear-text .pem files.

.p7b Format

Windows also uses the .p7b PKCS#7 format for certificate interchange with other platforms such as Java’s .keystore files. Unlike .pem, this format has a defined way to include the full certificate chain from the root down.

Other Formats

Other common formats you’ll see are:

.key: Just the private key.
.cer or .crt: A Windows-friendly way to denote the .pem certificate.
.crl: Certificate revocation lists issued by CAs.

Practical Tips and Tools

Converter tools like OpenSSL allow you to translate between these different formats as needed for your servers, devices, or applications. The most important things are to keep your private keys secure, use updated certificates from trusted CAs, and choose appropriate strong encryption algorithms and protocols.

Personal Workflow

Personally, I find that most of my certificate work can be accomplished by:

Creating a .CSR using a tool such as the DigiCertUtil from Digicert.
Having DigiCert or another CA organization process the certificate.
Downloading the certificate as a .CRT.
Importing the CRT into DigiCertUtil or another tool used in step 1.
Exporting as a PFX.

Then I can use the PFX to install on IIS or Exchange servers, appliances, or other platforms as needed.

Conclusion

At the end of the day, most of these formats are just different ways to encode and optionally secure the same basic X.509 certificate data defined in the ASN.1 notation. The PEM and DER formats contain the core certificate content, while PKCS standards like PKCS#7 and PKCS#12 define encryption and bundling containers.

This publication contains general information only and Sikich is not, by means of this publication, rendering accounting, business, financial, investment, legal, tax, or any other professional advice or services. This publication is not a substitute for such professional advice or services, nor should you use it as a basis for any decision, action or omission that may affect you or your business. Before making any decision, taking any action or omitting an action that may affect you or your business, you should consult a qualified professional advisor. In addition, this publication may contain certain content generated by an artificial intelligence (AI) language model. You acknowledge that Sikich shall not be responsible for any loss sustained by you or any person who relies on this publication.

About the Author

Von Peery

With over 20 years of experience in IT, Von Peery has seen many diverse technologies come and go. Viewing the IT world from both the perspective of a software developer when he started and that of a Network Engineer now allows Von to have a well rounded view of IT's place in business and how to effectively use technology to enhance business processes.