Skip to content
Latchkey

openssl x509: Convert PEM and DER Certificates

openssl x509 with -inform and -outform converts a certificate between PEM and DER encodings.

Java keystores and some APIs want DER; web servers want PEM. x509 round-trips between them losslessly.

What it does

openssl x509 reads a certificate in the input format (-inform) and re-encodes it in the output format (-outform). PEM is base64 with BEGIN/END lines; DER is raw binary.

Common usage

Terminal
openssl x509 -in cert.pem -outform der -out cert.der
openssl x509 -in cert.der -inform der -out cert.pem
# inspect a DER cert without converting
openssl x509 -in cert.der -inform der -text -noout

Options

FlagWhat it does
-inform pem|derFormat of the input file (default PEM)
-outform pem|derFormat of the output file
-in <file> / -out <file>Input and output paths

Common errors in CI

"unable to load certificate ... PEM routines:get_name:no start line" means the input is DER but you did not pass -inform der. The reverse, garbled binary or "header too long", means a DER tool was handed PEM. When in doubt, run file cert.der or check for the BEGIN CERTIFICATE line.

Related guides

Run this faster and cheaper on Latchkey managed runners. Start free →