一. 转换PEM 证书


openssl x509 -outform der -in certificate.pem -out certificate.der

PEM to P7B

openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b 
-certfile CACert.cer


openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in 
certificate.crt -certfile CACert.crt

二. 转换P7B 证书

P7B to PEM

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

P7B to PFX

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer 
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out
certificate.pfx -certfile CACert.cer

三. 转换PFX 证书


openssl pkcs12 -in certificate.pfx -out certificate.cer -nodes 
konwersja poprze OpenSSL

四. 转换DER 证书


openssl x509 -inform der -in certificate.cer -out certificate.pem


PKCS 全称是 Public-Key Cryptography Standards ,是由 RSA 实验室与其它安全系统开发商为促进公钥密码的发展而制订的一系列标准,PKCS 目前共发布过 15 个标准。 常用的有:

  1. PKCS#7 Cryptographic Message Syntax Standard
  2. PKCS#10 Certification Request Standard
  3. PKCS#12 Personal Information Exchange Syntax Standard

X.509是常见通用的证书格式。所有的证书都符合为Public Key Infrastructure (PKI) 制定的 ITU-T X509 国际标准。

  1. PKCS#7常用的后缀是: .P7B .P7C .SPC
  2. PKCS#12常用的后缀有: .P12 .PFX
  3. X.509 DER编码(ASCII)的后缀是: .DER .CER .CRT
  4. X.509 PAM编码(Base64)的后缀是: .PEM .CER .CRT
  5. .cer/.crt是用于存放证书,它是2进制形式存放的,不含私钥。
  6. .pem跟crt/cer的区别是它以Ascii来表示。
  7. pfx/p12用于存放个人证书/私钥,他通常包含保护密码,2进制方式
  8. p10是证书请求
  9. p7r是CA对证书请求的回复,只用于导入
  10. p7b以树状展示证书链(certificate chain),同时也支持单个证书,不含私钥。


PEM Format

The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format.

Apache and other similar servers use PEM format certificates. Several PEM certificates, and even the private key, can be included in one file, one below the other, but most platforms, such as Apache, expect the certificates and private key to be in separate files.

DER Format

The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used with Java platforms. The SSL Converter can only convert certificates to DER format. If you need to convert a private key to DER, please use the OpenSSL commands on this page

PKCS#7/P7B Format

The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.

PKCS#12/PFX Format

The PKCS#12 or PFX format is a binary format for storing the server certificate, any intermediate certificates, and the private key in one encryptable file. PFX files usually have extensions such as .pfx and .p12. PFX files are typically used on Windows machines to import and export certificates and private keys.

When converting a PFX file to PEM format, OpenSSL will put all the certificates and the private key into a single file. You will need to open the file in a text editor and copy each certificate and private key (including the BEGIN/END statments) to its own individual text file and save them as certificate.cer, CACert.cer, and privateKey.key respectively.