The .cer file format typically contains a X.509 certificate in DER (binary) or Base64 (PEM) encoding. The .pem format is essentially the Base64-encoded version of the certificate with BEGIN/END CERTIFICATE headers.
For simple cases where your .cer is already in Base64 format:
# Check if .cer is already in PEM format
cat certificate.cer | head -n 1
# If output shows "-----BEGIN CERTIFICATE-----", just rename:
mv certificate.cer certificate.pem
For binary .cer files, OpenSSL is the most reliable tool:
# Convert DER-encoded .cer to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
# Verify the output
openssl x509 -in certificate.pem -text -noout
If working with Windows certificates:
# PowerShell command to export as PEM
$cert = Get-ChildItem -Path Cert:\CurrentUser\My\ -CodeSigningCert
$cert | Export-Certificate -Type CERT -FilePath cert.cer
# Then use OpenSSL as shown above
PEM format is often required for:
- Apache/nginx HTTPS configuration
- Node.js server setups
- Python requests with client certificates
- Docker container certificate mounting
Always verify your converted certificate:
# Check PEM file validity
openssl x509 -in certificate.pem -text -noout
# Common errors to watch for:
# - "unable to load certificate" → usually means wrong input format
# - "bad base64 decode" → file isn't properly Base64 encoded
# - "no start line" → missing PEM headers
When dealing with chain certificates:
# Combine multiple PEM files
cat root_ca.pem intermediate.pem server_cert.pem > fullchain.pem
# Convert each certificate separately first if needed
For batch processing multiple certificates:
#!/bin/bash
for cert in *.cer; do
openssl x509 -inform der -in "$cert" -out "${cert%.*}.pem"
done
Certificates in .cer format are typically DER-encoded binary files or Base64-encoded ASCII files. The .pem format is always Base64-encoded ASCII with -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- headers.
If your .cer is already in Base64 format, you can simply:
cp certificate.cer certificate.pemOr on Windows:
copy certificate.cer certificate.pemFor more reliable conversion, use OpenSSL:
openssl x509 -inform der -in certificate.cer -out certificate.pemIf your .cer is already PEM format but with wrong extension:
openssl x509 -inform pem -in certificate.cer -out certificate.pemCheck your converted file:
openssl x509 -in certificate.pem -text -nooutHere's a bash script to batch convert:
#!/bin/bash
for cer_file in *.cer; do
pem_file="${cer_file%.cer}.pem"
openssl x509 -inform der -in "$cer_file" -out "$pem_file"
echo "Converted $cer_file to $pem_file"
doneFor Windows users:
Get-ChildItem *.cer | ForEach-Object {
$pemFile = [System.IO.Path]::ChangeExtension($_.FullName, ".pem")
& openssl x509 -inform der -in $_.FullName -out $pemFile
Write-Host "Converted $($_.Name) to $([System.IO.Path]::GetFileName($pemFile))"
}Error: "unable to load certificate" usually means the input format is wrong. Try adding -inform pem instead of -inform der.
Error: "bad base64 decode" suggests the file might be binary DER format when OpenSSL expects PEM.