172

I need to setup an Apache 2 server with SSL.

I have my *.key file, but all the documentation I've found online, *.crt files are specified, and my CA only provided me with a *.cer file.

Are *.cer files the same as *.crt? If not, how can I convert CER to CRT format?

TylerH
  • 20,799
  • 66
  • 75
  • 101
M.N
  • 10,899
  • 13
  • 47
  • 49
  • 13
    `CER` and `CRT` extensions mean nothing. Different PKI vendors use different extensions for the same thing. If the file is binary, then its probably ASN.1/DER encoded. If the file is human readable with `-----BEGIN CERTIFICATE-----`, then its PEM encoded. What do you have (DER or PEM), and what do you need (DER or PEM)? – jww Aug 09 '14 at 04:29

11 Answers11

148

File extensions for cryptographic certificates aren't really as standardized as you'd expect. Windows by default treats double-clicking a .crt file as a request to import the certificate into the Windows Root Certificate store, but treats a .cer file as a request just to view the certificate. So, they're different in the sense that Windows has some inherent different meaning for what happens when you double click each type of file.

But the way that Windows handles them when you double-click them is about the only difference between the two. Both extensions just represent that it contains a public certificate. You can rename a certificate file to use one extension in place of the other in any system or configuration file that I've seen. And on non-Windows platforms (and even on Windows), people aren't particularly careful about which extension they use, and treat them both interchangeably, as there's no difference between them as long as the contents of the file are correct.

Making things more confusing is that there are two standard ways of storing certificate data in a file: One is a "binary" X.509 encoding, and the other is a "text" base64 encoding that usually starts with "-----BEGIN CERTIFICATE-----". These encode the same data but in different ways. Most systems accept both formats, but, if you need to, you can convert one to the other via openssl or other tools. The encoding within a certificate file is really independent of which extension somebody gave the file.

TylerH
  • 20,799
  • 66
  • 75
  • 101
  • 1
    My understanding is that they are _both_ X.509 encodings. You don't say otherwise, but the asymmetric use of x.509 above might suggest otherwise to a reader. To the reader, it's worth noting that the certificates can be converted back and forth between these 2 encodings, because as this answer mentions, they hold the same information. See the other answer with the openssl x509 -inform commands. – FreeText Aug 16 '19 at 18:15
112

Basically there are two CER certificate encoding types, DER and Base64. When type DER returns an error loading certificate (asn1 encoding routines), try the PEM and it shall work.

openssl x509 -inform DER -in certificate.cer -out certificate.crt

openssl x509 -inform PEM -in certificate.cer -out certificate.crt

Liibo
  • 1,221
  • 1
  • 8
  • 3
  • 4
    The DER format worked for me when my cer file looked like binary when I tried to edit it... thanks! – Brad Parks Aug 01 '17 at 19:01
  • 1
    To the reader, I found the openssl man page useful. It was ambiguous to me which of the commands did what (i.e. which way was the conversion). The -inform parameter specifies the format of the input -in file, which is intuitive, but if you're already a little confused, it's nice to know explicitly. See https://www.openssl.org/docs/manmaster/man1/openssl-x509.html – FreeText Aug 16 '19 at 18:17
56

According to documentation mod_ssl:

SSLCertificateFile: 
   Name: SSLCertificateFile
   Description: Server PEM-encoded X.509 certificate file

Certificate file should be PEM-encoded X.509 Certificate file:

openssl x509 -inform DER -in certificate.cer -out certificate.pem
Dmitry G
  • 709
  • 8
  • 8
  • Will this solve ssl cert errors, when behind `zscaler`, running `vagrant` on `win` (`vbox` `homestead`), by installing our trusted root certs into the vagrant box? I `scp`'d them, then used your conversion and symlinked them into `/etc/ssl/certs` and also copied the contents into the `ca-certificates.crt` file before reprovisioning, and still im getting a `google-recaptcha` `tls` `ssl` error on `file_get_contents` on the dev box. – blamb Nov 08 '17 at 19:53
38

CER is an X.509 certificate in binary form, DER encoded.
CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.

It is not the same encoding.

Spawnrider
  • 1,727
  • 1
  • 19
  • 32
  • 14
    This answer is just wrong. Both .CER and .CRT can be using either DER or PEM (text) encoding. Extensions .pem and .der reflect the encoding, .cer and .crt do not. [More details](https://support.ssl.com/Knowledgebase/Article/View/19/0/der-vs-crt-vs-cer-vs-pem-certificates-and-how-to-convert-them). – eis Sep 27 '16 at 10:44
  • 2
    Actually, it *should* be the opposite. But all those extensions have been confused for a long time, so you should not rely on them. – Claudio Floreani Mar 04 '17 at 12:29
  • can confirm. i have a .cer and it's binary – code_monk Oct 05 '20 at 22:33
  • 1
    [RFC 2585](https://datatracker.ietf.org/doc/html/rfc2585) registers `.cer` for DER encoding and [RFC 7468](https://datatracker.ietf.org/doc/html/rfc7468#section-5.3) recommends `.crt` for the textual (Base64) form, but in practice the extensions are often mixed up. – Martin Mar 17 '22 at 14:38
35

I use command:

openssl x509 -inform PEM -in certificate.cer -out certificate.crt

But CER is an X.509 certificate in binary form, DER encoded. CRT is a binary X.509 certificate, encapsulated in text (base-64) encoding.

Because of that, you maybe should use:

openssl x509 -inform DER -in certificate.cer -out certificate.crt

And then to import your certificate:

Copy your CA to dir:

/usr/local/share/ca-certificates/

Use command:

sudo cp foo.crt /usr/local/share/ca-certificates/foo.crt

Update the CA store:

sudo update-ca-certificates

Hugo L.M
  • 1,053
  • 17
  • 31
32

I assume that you have a .cer file containing PKCS#7-encoded certificate data and you want to convert it to PEM-encoded certificate data (typically a .crt or .pem file). For instance, a .cer file containing PKCS#7-encoded data looks like this: 

-----BEGIN PKCS7-----
MIIW4gYJKoZIhvcNAQcCoIIW0zCCFs8CAQExADALBgkqhkiG9w0BBwGggha1MIIH
...
POI9n9cd2cNgQ4xYDiKWL2KjLB+6rQXvqzJ4h6BUcxm1XAX5Uj5tLUUL9wqT6u0G
+bKhADEA
-----END PKCS7-----

PEM certificate data looks like this: 

-----BEGIN CERTIFICATE-----
MIIHNjCCBh6gAwIBAgIQAlBxtqKazsxUSR9QdWWxaDANBgkqhkiG9w0BAQUFADBm
...
nv72c/OV4nlyrvBLPoaS5JFUJvFUG8RfAEY=
-----END CERTIFICATE-----

There is an OpenSSL command that will convert .cer files (with PKCS#7 data) to the PEM data you may be expecting to encounter (the BEGIN CERTIFICATE block in the example above). You can coerce PKCS#7 data into PEM format by this command on a file we'll call certfile.cer:

openssl pkcs7 -text -in certfile.cer -print_certs -outform PEM -out certfile.pem

Note that a .cer or .pem file might contain one or more certificates (possibly the entire certificate chain).

Karl Ward
  • 321
  • 3
  • 3
  • 1
    Would be handy if you had a source of this assumption. I think people use (possibly incorrectly) .cer, .crt, .pem interchangeably) so having a source of truth would correct the misconceptions. – PhilT May 15 '12 at 10:16
17

The answer to the question how to convert a .cer file into a .crt file (they are encoded differently!) is:

openssl pkcs7 -print_certs -in certificate.cer -out certificate.crt
Alexander Presber
  • 6,429
  • 2
  • 37
  • 66
7

If your cer file has binary format you must convert it by

openssl x509 -inform DER -in YOUR_CERTIFICATE.cer -out YOUR_CERTIFICATE.crt
Mustafa Burak Kalkan
  • 1,132
  • 21
  • 28
4

The .cer and .crt file should be interchangable as far as importing them into a keystore.

Take a look at the contents of the .cer file. Erase anything before the -----BEGIN CERTIFICATE----- line and after the -----END CERTIFICATE----- line. You'll be left with the BEGIN/END lines with a bunch of Base64-encoded stuff between them.

-----BEGIN CERTIFICATE-----
MIIDQTCCAqqgAwIBAgIJALQea21f1bVjMA0GCSqGSIb3DQEBBQUAMIG1MQswCQYD
...
pfDACIDHTrwCk5OefMwArfEkSBo/
-----END CERTIFICATE-----

Then just import it into your keyfile using keytool.

keytool -import -alias myalias -keystore my.keystore -trustcacerts -file mycert.cer
OtherDevOpsGene
  • 7,302
  • 2
  • 31
  • 46
  • The thing that helped me was your comment of BASE-64 ENCODING. A normal cert apparently is special encoding and not plain text readable. Thanks. – DRapp Mar 01 '11 at 17:45
2

Here is one case that worked for me if we need to convert .cer to .crt, though both of them are contextually same

Generate crt file: openssl pkcs12 -in identity.p12 -nokeys -out mycertificate.crt

Generate key file: openssl pkcs12 -in identity.p12 -out mycertificate.key -nodes -nocerts

where we should have a valid private key (identity.p12) PKCS 12 format, this one i generated from keystore (.jks file) provided by CA (Certification Authority) who created my certificate.

Ankitsrivasta
  • 73
  • 1
  • 6
rinilnath
  • 136
  • 2
  • 15
-2

Just do

openssl x509 -req -days 365 -in server.cer -signkey server.key -out server.crt
Mutuma
  • 1,943
  • 3
  • 24
  • 33
  • 8
    Would you care to elaborate what this line does exactly and why exactly you use those parameters? This answer is quite short and may be hard to understand for people with less experience. – GameDroids Dec 09 '14 at 13:32