PEM vs DER vs PFX vs PKCS#7: SSL Certificate Formats Explained and How to Convert Them

When you receive an SSL certificate, you often get more than one file with different extensions: .pem, .crt, .der, .pfx, .p7b. The catch is that your server only accepts one specific format, not all of them. This guide explains what each format is, where it is used, and how to switch between them with an SSL converter.

What are SSL certificate formats?

Every format carries the same underlying certificate data. The difference is how that data is packaged and whether it also bundles the private key and chain certificates.

  • PEM — A Base64-encoded text format (it starts with -----BEGIN CERTIFICATE-----). It is the standard for Apache, Nginx and the Linux world in general. A single file can hold the certificate, the chain and the private key.
  • DER — The binary version of PEM. It is not human-readable and is preferred by some Java applications and hardware devices. The extension is usually .der or .cer.
  • PFX / PKCS#12 — Bundles the certificate, the chain and the private key into a single encrypted file (.pfx or .p12). It is the standard transport format for Windows and IIS.
  • P7B / PKCS#7 — Contains only the certificate and its chain, with no private key (.p7b or .p7c). It is common for building chains on Windows and Tomcat.

Which server needs which format?

  • Apache / Nginx (Linux): PEM — a separate certificate file (with the chain) and a separate private key file.
  • Microsoft IIS / Windows: PFX (PKCS#12) — certificate, key and chain in one file. This is usually the most practical option.
  • Apache Tomcat: Typically a PKCS#12 (PFX) keystore; older setups use P7B for the chain.
  • Java applications: DER, or PKCS#12 to import into a keystore.
  • Load balancers / CDNs: Usually PEM (certificate + key).

How to convert with the SSL converter

Our SSL converter tool lets you switch between these formats in seconds. The most important detail: everything runs in your browser; your private key never leaves your device. Files are not uploaded to any server, and the conversion happens entirely locally.

  1. Open the tool and select the file you want to convert (PEM, DER, P7B or PFX).
  2. Choose your target format.
  3. If you are building a PFX output, add the private key and optionally set a password.
  4. If you are using a PFX as input, you must enter the file's password.
  5. Click convert and download the result.

Equivalent openssl commands

For those who prefer the command line, here are the equivalents:

PEM -> DER:   openssl x509 -in cert.pem -outform der -out cert.der
DER -> PEM:   openssl x509 -in cert.der -inform der -out cert.pem
PEM -> PFX:   openssl pkcs12 -export -in cert.pem -inkey key.pem -out cert.pfx
PFX -> PEM:   openssl pkcs12 -in cert.pfx -nodes -out cert.pem
PEM -> P7B:   openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7b
P7B -> PEM:   openssl pkcs7 -in cert.p7b -print_certs -out cert.pem

PFX and privacy: why do it in the browser?

A PFX file is extremely sensitive because it contains your private key. Anyone who obtains that key can decrypt your traffic or impersonate your site. That is why uploading private-key conversions to random online sites is a serious risk. In our tool the conversion runs entirely client-side, so your key never leaves your computer and your privacy stays intact.

No certificate yet?

If you do not have a certificate to convert, get one first. With our free 90-day SSL wizard you can issue a Let's Encrypt certificate in minutes, then convert it into the exact format your server expects.

Summary

PEM is for Linux/Apache/Nginx, DER is binary/Java, PFX is for Windows/IIS (key included), and P7B is for the chain (no key). Identify the right format, convert it safely with the SSL converter, and remember: the whole process runs in your browser and your private key never leaves your device.