- RFC 5280 (X.509): https://datatracker.ietf.org/doc/html/rfc5280
- The de facto standard for certificate format.
- RFC 2315 (PKCS#7): https://datatracker.ietf.org/doc/html/rfc2315
- Contains multiple certificates like an archive file but just for certificates.
- RFC 7292 (PKCS#12): https://datatracker.ietf.org/doc/html/rfc7292
- Contains multiple certificates and (quite often) the private key for the certificate.
- RFC 7468 (PEM encoding): https://datatracker.ietf.org/doc/html/rfc7468
- Encode supported X.690 (DER) encoded file(s) into printable, BASE-64 encoded file(s)
- OpenSSL 1.1.1 Man Pages: https://www.openssl.org/docs/man1.1.1/man1/
[-out file]: An optional parameter for the command. {-clcerts|-chain}: Choose one parameter for the command.
| Input \ Output | X.509 PEM | X.509 DER | PKCS#7 PEM | PKCS#7 DER | PKCS#12 |
|---|---|---|---|---|---|
| X.509 PEM | -- | openssl x509 -in cert.x509.pem -outform DER [-out cert.x509.der] | openssl crl2pkcs7 -certfile certs.x509.pem -nocrl [-out certs.p7.pem] | Convert to PKCS#7 PEM first. | openssl pkcs12 -export -in chain.x509.pem [-inkey key.p8.pem] [-out bundle.pfx] |
| X.509 DER | openssl x509 -in cert.x509.der -inform DER [-out cert.x509.pem] | -- | Convert to X.509 PEM first. | Convert to X.509 PEM first. | Convert to X.509 PEM first. |
| PKCS#7 PEM | openssl pkcs7 -in cert.p7.pem -print_certs [-out certs.x509.pem] | Convert to X.509 PEM first. | -- | openssl pkcs7 -in certs.p7.pem -outform DER [-out certs.p7.der] | Convert to X.509 PEM first. |
| PKCS#7 DER | openssl pkcs7 -in cert.p7.der -inform DER -print_certs [-out certs.x509.pem] | Convert to X.509 PEM first. | openssl pkcs7 -in cert.p7.der -inform DER [-out cert.p7.pem] | -- | Convert to X.509 PEM first. |
| PKCS#12 | openssl pkcs12 -in bundle.pfx -nokeys {-clcerts|-chain} [-out cert.x509.pem] | Convert to X.509 PEM first. | Convert to X.509 PEM first. | Convert to X.509 PEM first. | -- |
Note
While other format supports multiple certificates in one file, X.509 DER supports only one certificate.