SSL Converter
Convert SSL certificates with OpenSSL
Upload a certificate, validate the format, and convert between PEM, DER, P7B, and PFX.
Security Warning
Private key required for PEM -> PFX and P7B -> PFX. Password required for PEM -> PFX and PFX -> PEM.
SSL Converter Guide
This tool converts SSL certificates across common formats and explains when to use each one.
PEM Format
Base64 text with BEGIN/END headers. Common for Linux, Apache, and Nginx.
DER Format
Binary certificate format used in Windows and Java environments.
P7B/PKCS#7 Format
Certificate chain container without private keys. Often used with IIS.
PFX/PKCS#12 Format
Binary package that can include certificate, chain, and private key.
OpenSSL Commands to Convert SSL Certificates
OpenSSL Convert PEM
Convert PEM to DER
openssl x509 -outform der -in certificate.pem -out certificate.derConvert PEM to P7B
openssl crl2pkcs7 -nocrl -certfile certificate.cer -out certificate.p7b -certfile CACert.cerConvert PEM to PFX
openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CACert.crtOpenSSL Convert DER
Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pemOpenSSL Convert P7B
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cerConvert P7B to PFX
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer
openssl pkcs12 -export -in certificate.cer -inkey privateKey.key -out certificate.pfx -certfile CACert.cerOpenSSL Convert PFX
Convert PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.cer -nodesSSL Certificate Formats Explained
SSL/TLS certificates are the credentials that prove your server’s identity and enable encrypted connections. Because different platforms store certificates in different ways, conversion between formats is common. This converter exists to help you move between PEM, DER, P7B, and PFX without guesswork, while also explaining what each file type is used for.
Before you upload anything, consider whether your environment requires on‑prem processing. If a certificate or key is sensitive, use the OpenSSL commands shown above on a trusted machine you control.
At a high level, a certificate contains a public key, identity details, and a signature from a certificate authority (CA). A private key is separate and must be protected. Some formats combine certificates and keys into a single bundle, while others keep them separate. Understanding what is inside each file helps you choose the correct conversion target and avoid accidental exposure.
When to use each format
Use PEM for most Linux-based servers, Nginx, and Apache. PEM is human readable, easy to edit, and supports chains by stacking certificates in one file. DER is a binary format often used by Java keystores and Windows tools. P7B (PKCS#7) is typically used to share a certificate chain without private keys. PFX (PKCS#12) bundles the certificate, chain, and private key into one password-protected file, which is common for Windows servers and import/export workflows.
A frequent task is converting PEM to PFX for IIS, or converting a PFX to PEM when moving a certificate to Linux. Another common scenario is extracting a chain from P7B so you can configure intermediates correctly. This tool supports these conversions and shows the equivalent OpenSSL commands for offline use.
Certificate chains and intermediate CAs
Most certificates rely on one or more intermediate CAs. If you upload only the leaf certificate without its chain, clients may see trust errors even if the certificate is valid. When building a PEM chain, include the leaf certificate first, then append intermediate certificates in order. The root certificate is typically not included because it is already trusted by clients.
For PFX bundles, include the full chain so Windows and other environments can build a trusted path automatically. A missing chain is one of the most common causes of “certificate not trusted” warnings after migration.
Handling private keys safely
Private keys should be treated as sensitive secrets. Only upload a key if you understand the risks and the environment is secure. This converter processes files in memory and does not store uploads, but best practice is still to perform conversions on a trusted machine under your control. If you do upload a key, use a strong password when exporting a PFX and rotate the key if exposure is suspected.
When moving certificates between systems, verify file permissions and ownership. On Linux, private keys should be readable only by the service account. On Windows, ensure that only required identities have access to the certificate store.
Troubleshooting conversion errors
If a conversion fails, check that the input format matches the file you provided. PEM files should include clear BEGIN/END headers. PFX files require the correct password. For P7B, ensure the file contains certificates and not a different PKCS container. The error messages in the results panel can help you identify missing components or invalid files.
After conversion, validate the certificate with your target platform. An OpenSSL command like openssl x509 -text -noout can show details such as subject, issuer, and expiration. Always confirm that the private key matches the certificate before deploying.
Frequently asked questions
Do I need the private key for every conversion? Only when converting to a format that includes the key, such as PFX. For conversions between certificate-only formats, the key is not required.
Why does my PFX export fail? Common causes include an incorrect password, a missing private key, or a mismatched key and certificate. Confirm that the key belongs to the certificate you are exporting.
Is it safe to upload certificates here? The tool processes files temporarily and does not store uploads, but for sensitive environments, use the OpenSSL commands shown above on a trusted server.
Converting certificates should be a routine, low-risk task. With clear format guidance and reliable conversion steps, you can move between platforms quickly and keep secure services running without downtime.