sslssl-certificatepemcer

Are .pem and .cer interchangeble?


I know .pem are base 64 encoded and .cer is the certificate with can be .pem encoded.

Question: I have been using .cer in our application. Since the certificate is expriring, we got a new certificate in .pem format. Can we start using .pem as it is or should I convert it to .cer before using?

I am a novice in the certificate related subject. Any tutorials/web sites can be helpful.

Thanks for you help.


Solution

  • As far as I know there are 2 types of encoding, in which you can save a certificate (or private key, CRL, PKCS#12 etc.). These 2 encodings are

    PEM is a base64 encoding, usually used with some headers and wrapped by 64characters per line. An example of certificate in PEM encoding is

    -----BEGIN CERTIFICATE-----
    MIIDOTCCAiGgAwIBAgIBBTANBgkqhkiG9w0BAQUFADAfMQswCQYDVQQGEwJTSzEQ
    MA4GA1UEAxMHaWRzcnZDQTAeFw0xNDA0MDUxMjA5MDBaFw0xNTA0MDUxMjA5MDBa
    .....
    VMO1CaARu0mgMZv3dw==
     -----END CERTIFICATE-----
    

    DER is a binary encoding that can be converted to PEM encoding by using base64 encode function and wrapping and using headers. It represents an ASN.1 structure defined by RFC 5280 which

    profiles the X.509 v3 certificate and X.509 v2 certificate revocation list (CRL) for use in the Internet

    . Windows can use both encodings and it does not matter if the file has .cer or .crt (or maybe others) extension. It manages to use the certificate in PEM encoding even if it is not wrapped 64chars per line or even if it has no headers. Openssl is different and requires that certificate in PEM encoding has headers and is 64chars per ine wrapped. So as you can see it depends on the application.

    I would suggest that you look into your .pem file and see what encoding is used (use your favorite editor). Then use exactly the same as was used in .cer file (just to be safe, because I don't know what application do you mean). If you want, you can also rename the .pem file to .cer file but IMHO I don't think it will be necessary.

    Oh, there is also a third encoding (which I rarely see) - HEX encoding. It is practically a DER represented as hex characters. You can convert from HEX to DER using certutil (on windows).