When working with certificates on Linux systems, you'll encounter different encoding formats. The error you're seeing suggests OpenSSL is having trouble interpreting your input format. Let me explain the possibilities:
# Common certificate formats
1. DER (Binary) - Common in Windows .cer files
2. PEM (Base64) - Common in Linux .pem files
3. PKCS#7 - Usually has .p7b extension
4. PKCS#12 - Usually has .p12 or .pfx extension
Based on your case where openssl x509 -text -noout works but DER conversion fails, your certificate is likely already in PEM format but with a .cer extension. Here are the proper conversion commands:
# If certificate is in DER format (binary)
openssl x509 -inform der -in certificate.cer -out certificate.pem
# If certificate is already in PEM format (ASCII)
openssl x509 -in certificate.cer -out certificate.pem
# Alternative method for PEM to PEM conversion
cp certificate.cer certificate.pem
To properly diagnose your certificate format, use these commands:
# Check if file is ASCII (PEM) or binary (DER)
file cas.cer
# For binary files, check the exact type
openssl asn1parse -in cas.cer -inform DER
# Alternative method to inspect any certificate
openssl x509 -in cas.cer -text -noout
Sometimes certificates come in non-standard formats. Here's how to handle them:
# If certificate is in PKCS#7 format
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
# If certificate chain is concatenated
# (Common in Apache configurations)
cat domain.crt intermediate.crt root.crt > fullchain.pem
# For password protected certificates
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
Since openssl x509 -text -noout works on your file, you can simply:
# This will work since your file is already PEM encoded
cp cas.cer cas.pem
# Or to ensure proper formatting
openssl x509 -in cas.cer -out cas.pem
The error you encountered typically happens when OpenSSL expects DER format but gets PEM instead. The -inform der flag tells OpenSSL to expect binary format, but your file is ASCII.
After conversion, always verify your certificates:
# Verify PEM certificate
openssl x509 -in cas.pem -text -noout
# Check certificate expiration
openssl x509 -in cas.pem -enddate -noout
# Verify certificate chain (if applicable)
openssl verify -verbose -CAfile ca-bundle.pem cas.pem
When working with SSL/TLS certificates on Linux systems, you might encounter conversion challenges between different certificate formats. The error message you're seeing:
openssl x509 -inform der -in cas.cer -out cas.pem
unable to load certificate
4419:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:959:
4419:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:304:Type=X509
typically indicates that OpenSSL is trying to parse the file using the wrong encoding format.
Before conversion, you need to identify whether your .cer file is in DER or PEM format. The fact that openssl x509 -in cas.cer -text -noout works suggests your certificate is already in PEM format. PEM files are ASCII-armored with BEGIN/END CERTIFICATE markers, while DER files are binary.
If your certificate is actually in PEM format (text-based), no conversion is needed - just rename the file:
cp cas.cer cas.pem
For true DER to PEM conversion (when you have a binary .cer file):
openssl x509 -inform der -in certificate.cer -out certificate.pem
For PEM to DER conversion (reverse operation):
openssl x509 -outform der -in certificate.pem -out certificate.der
To examine any certificate file regardless of format:
openssl x509 -in certfile -text -noout
This will display human-readable certificate information including issuer, validity period, and public key details.
Different certificate types may require specific OpenSSL commands:
For PKCS#7 certificates (.p7b files):
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem
For PKCS#12 certificates (.pfx or .p12 files):
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes
When dealing with certificate chains, you might need to concatenate multiple certificates:
cat root_ca.pem intermediate_ca.pem server_cert.pem > full_chain.pem
This creates a complete certificate chain that some servers (like Apache or Nginx) require for proper SSL configuration.