When working with SSL/TLS certificates, you'll typically receive two main components:
-----BEGIN CERTIFICATE-----
[...Base64 encoded certificate data...]
-----END CERTIFICATE-----
-----BEGIN RSA PRIVATE KEY-----
[...Base64 encoded private key...]
-----END RSA PRIVATE KEY-----
This format is known as PEM (Privacy-Enhanced Mail) format, which uses base64 encoding between header and footer lines. For IIS, you'll need the certificate in .cer or .pfx format.
The most straightforward method is using OpenSSL:
# Convert PEM to DER (binary .cer)
openssl x509 -outform der -in certificate.pem -out certificate.cer
# Alternatively, keep PEM format but change extension (also works in IIS)
openssl x509 -in certificate.pem -out certificate.cer
If you don't have OpenSSL installed, you can manually create the .cer file:
- Copy everything between
-----BEGIN CERTIFICATE-----and-----END CERTIFICATE-----(including these lines) - Save as a new file with .cer extension
- Ensure the file uses ASCII/ANSI encoding (not UTF-8 with BOM)
Before deploying to IIS, verify the certificate:
openssl x509 -in certificate.cer -text -noout
This will display certificate details including issuer, validity period, and subject.
Once you have the .cer file:
- Open IIS Manager
- Navigate to Server Certificates
- Click "Import..."
- Select your .cer file
- If required, also import the private key separately
Problem: IIS complains about missing private key
Solution: You may need to combine certificate and key into PFX:
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.pem
Problem: Certificate chain is incomplete
Solution: Include intermediate certificates in your .cer file or import them separately in IIS.
For repeated conversions, use this PowerShell script:
$pemContent = Get-Content -Path ".\certificate.pem" -Raw
$cerContent = $pemContent -replace "-----BEGIN CERTIFICATE-----",""
-replace "-----END CERTIFICATE-----",""
-replace "n",""
$bytes = [Convert]::FromBase64String($cerContent)
[IO.File]::WriteAllBytes(".\certificate.cer", $bytes)
When working with SSL/TLS certificates, you'll often encounter different file formats. The PEM format (with BEGIN/END markers) is common for certificate exchanges, while IIS typically requires the .cer format (DER-encoded binary or Base64 ASCII).
The content you received contains both the certificate and private key. For IIS, we only need the certificate portion:
-----BEGIN CERTIFICATE-----
[...Many letters and digits...]
-----END CERTIFICATE-----
Using OpenSSL (Command Line)
This is the most reliable cross-platform method:
# Convert PEM to DER (binary .cer)
openssl x509 -outform der -in certificate.pem -out certificate.cer
# Or keep Base64 encoding (alternative .cer format)
openssl x509 -in certificate.pem -out certificate.cer -outform pem
Using Windows Certificates MMC
For Windows users without OpenSSL:
- Save the entire PEM content to a .pem or .txt file
- Open MMC → Add Certificates snap-in
- Import the .pem file
- Right-click the certificate → All Tasks → Export
- Choose "DER encoded binary X.509 (.CER)" format
Programmatic Conversion in C#
For automation scenarios:
using System.Security.Cryptography.X509Certificates;
// Load from PEM file
var cert = X509Certificate2.CreateFromPemFile("certificate.pem");
// Save as DER format
File.WriteAllBytes("certificate.cer", cert.Export(X509ContentType.Cert));
After conversion, verify the file:
openssl x509 -inform der -in certificate.cer -text -noout
When importing to IIS:
- Use the Server Certificates feature in IIS Manager
- For PFX files containing private keys, use "Import"
- For .cer files (public key only), use "Complete Certificate Request"
- Ensure the certificate chain is properly installed
If you encounter problems:
# Check certificate validity period
openssl x509 -in certificate.cer -noout -dates
# Verify the certificate chain
openssl verify -CAfile ca_bundle.crt certificate.cer