There are many variants of these questions, asking how to convert TLS (technically X.509) certificates between various formats. To be stored in a file, a certificate must be encoded. Some common common encodings are:
A useful convention is for the filename to use an extension that indicates the encoding of the data in it, such as "cert.der" to indicate that the contained certificate is DER-encoded. However it is more common for PEM-encoded certificates to be given a file extension of .crt or .cer. Since PEM can encode other data, such as private keys, it is not uncommon for files to contain multiple PEM-encoded objects. In contrast, a .der file should only contain a single DER-encoded certificate. The PKCS#7/CMS format is very flexible and can contain arbitrary encrypted and/or signed data, but .p7b files contain only certificates, and sometimes certificate revocation lists, in PKCS#7. PKCS#12 or PFX is another format that can contain multiple objects, such as a server private key and the corresponding certificate. Such files have the extension .pfx by convention.
The most convenient and reliable tool for converting between these different formats is openssl.
$ openssl x509 -in cert.pem -outform der -out cert.der $ openssl x509 -in cert.der -inform der -out cert.pem $ openssl pkcs7 -print_certs -in cert.p7b -out cert.pem $ openssl crl2pkcs7 -nocrl -certfile cert.pem -out cert.p7bIf you take a look at the .p7b file created by this last command, you'll see that it is base-64 encoded data with a BEGIN/END header/trailer. It is actually the certificate encoded twice, first in PKCS#7/CMS and then in PEM, just as the regular .pem format is actually DER encoded in PEM.
$ openssl pkcs12 -export -out cert.pfx -inkey key.pem -in cert.pem -certfile CA-cert.pemWe can also extract the certificate from a PFX file:
$ openssl pkcs12 -in cert.pfx -out cert.pem -nokeys
$ cat cert.pem key.pem >server.pemAgain we can extract the certificate with openssl:
$ openssl x509 -in server.pem -out cert.pem