openssl x509: Convert PEM and DER Certificates
openssl x509 with -inform and -outform converts a certificate between PEM and DER encodings.
Java keystores and some APIs want DER; web servers want PEM. x509 round-trips between them losslessly.
What it does
openssl x509 reads a certificate in the input format (-inform) and re-encodes it in the output format (-outform). PEM is base64 with BEGIN/END lines; DER is raw binary.
Common usage
Terminal
openssl x509 -in cert.pem -outform der -out cert.der
openssl x509 -in cert.der -inform der -out cert.pem
# inspect a DER cert without converting
openssl x509 -in cert.der -inform der -text -nooutOptions
| Flag | What it does |
|---|---|
| -inform pem|der | Format of the input file (default PEM) |
| -outform pem|der | Format of the output file |
| -in <file> / -out <file> | Input and output paths |
Common errors in CI
"unable to load certificate ... PEM routines:get_name:no start line" means the input is DER but you did not pass -inform der. The reverse, garbled binary or "header too long", means a DER tool was handed PEM. When in doubt, run file cert.der or check for the BEGIN CERTIFICATE line.
Related guides
openssl x509 -text: Inspect a Certificateopenssl x509 -text -noout prints a human-readable view of a certificate: subject, issuer, SANs, validity. Ref…
openssl pkcs12: Export and Import .p12 Bundlesopenssl pkcs12 packs a key and cert chain into a .p12/.pfx and unpacks them back. Reference for -export, -in,…
openssl rsa: PEM, DER and PKCS#1 vs PKCS#8openssl rsa and pkcs8 convert RSA keys between PEM/DER and PKCS#1/PKCS#8. Reference for -outform, -traditiona…
openssl x509 -fingerprint: Cert Fingerprintsopenssl x509 -fingerprint prints a certificate fingerprint for pinning and comparison. Reference for -sha256,…