Types of SSL/TLS Certificate and their Conversions in the Linux

 

Introduction

SSL certificates play a critical role in securing the modern websites and servers. Conversion of the Linux certificate to the SSL is one of the key skills essential to the system administrators and DevOps engineers. Be it the Apache, Nginx settings or you are switching the certificates to the windows IIS, it is important to understand the certificate formats of the SSL such as the PEM, DER and PKCS 12.

SSL certificates come in the multiple formats and sometimes the format provided by a Certificate Authority (CA) does not match your server requirements. Some ssl certificate authorities issue the certificates in a specific format so you need to convert it to your required format before applying. SSL certificate conversion is handy in such situations.

This guide focuses on the types of SSL certificates, SSL formats and OpenSSL commands for certificate conversion in the Linux, assisting system administrators in setting up the HTTPS in a secure and proper format.

Covers server hardening relevant to the securing SSL/TLS deployment, read our guide on The Right Way to Secure SSH Access on Your Linux Server.

What Is an SSL/TLS Certificate?

An SSL certificate (Secure Socket Layer) is now technically a TLS (Transport Layer Security) certificate, is a digital file.

That:

•  Encrypts data in transit 
•  Verifies server identity
•  Ensures data integrity

Web sites that are supported by the use of the SSL site show the use of https:// and padlock in the browsers.

Types of SSL Certificate Based on the Validation

1. Domain validation (DV) SSL Certificate

Domain validation certificates are used to verify the domain ownership.

Key Features:

•  Fast issuance (minutes)
•  Low cost or free
•  Basic encryption

2. Organization Validation (OV) SSL Certificate

The ownership of the domain and the identity of the business are checked with the help of organization certificates.

Key Features:

•  Organization details included
•  Greater credibility than the domain validation
•  Manual verification process

Best For: Business websites and the corporate portals

3. SSL Certificate of the Extended Validation (EV)

Extended validation certificates provide the highest level of the trust.

Key Features:

•  Strict identity verification
•  Maximum credibility
•  Strong customer trust

Best For: Banking, Financial services and E-commerce platforms

SSL Certificate types depending on the coverage by domain

1. Single-Domain SSL Certificate

Single fully qualified domain name is secured by this ssl certificate.

For example:

Example.com

2. Wildcard SSL Certificate

Guards a domain and its sub domains.

For example:

*.example.com

3. SSL Certificate for the Multi-Domain (SAN/UCC)

Secures the multiple unrelated domains under one certificate.

For example:

•  Example.com
•  Example.net
•  Example.org etc.

Checking system resources and the configuration before installing SSL certificates, read our guide on 8 Best Commands to Check the Information about the CPU.

Common SSL Certificate Formats

Format	Extension	Description
PEM	.pem, .crt, .cer	Base64 encoded format, widely used in Linux systems
DER	.der	Binary certificate format, not human-readable
PKCS7	.p7b, .p7c	Contains certificate chain without private key
PKCS12	.pfx, .p12	Includes certificate along with private key (password protected)
JKS	.jks	Java KeyStore format used in Java-based applications

SSL/TLS Certificate Definitions

1. PEM (Privacy-Enhanced Mail)

PEM stores cryptographic data in 64 encoded format and makes it human-readable and easy to edit. It is most commonly used SSL certificate format in the Linux systems.

Key Characteristics:

•  Encoded using Base64
•  Wrapped in the headers and footers

Store the CA bundle, SSL certificates and private key (intermediate certificates).

File Extensions:

• .pem
• .key
• .crt
• .cer

Where PEM is used

•  Apache http server
• Nginx
• HAproxy
• Docker, Kubernetes
• AWS,GCP and Azure

2. DER (Distinguished Encoding Rules)

DER is a binary format of an SSL certificate, which is founded by the ASN.1 encoding regulation and the DER files are not human readable.

Key Characteristics:

• Binary format
• Contains a single certificate
• Smaller in size than PEM

File Extensions:

• .der
• .cer

Where DER is used

• Java-based systems
• Embedded devices
• Windows environments

3. Public Key Cryptography Standards of PKCS7

PKCS 7 is a certificate container format which can store one or more of the certificates in a chain but does not contain any private keys.

Key Characteristics:

•  Store certificate chains
•  Base64 or binary encoding
•  Used for the distribution of certificate

File Extensions:

• .p7b
• .p7c

What PKCS7 contains:

• Server certificates
• Intermediate certificates
• Root certificate (Optional)

Where PKCS7 is used:

•  Windows certificate store
•  IIS certificate imports
•  CA bundle delivery

4. Public Key Cryptography Standards of PKCS12

Public key Cryptography Standards PKCS 12 is a secure storage format that packages the certificates and the CA chain together with the private keys into one encrypted file.

Key Characteristics:

•  Password-protected
•  Binary format
•  Portable across platforms

File Extensions:

• .pfx
• .p12

What PKCS12 Contains:

•  SSL certificate
•  Private key
•  Intermediate CA certificates

Where PKCS12 is used:

• Windows IIS
•  Load Balancers
•  Browsers (certificate import)
•  Cloud services

5. JKS (Java Keystore)

A Java-specific key store, JKS is a storage system that holds the certificates of the SSL and the private key of Java-specific applications.

Key Characteristics:

• Proprietary Java format
• Password protected
• Managed using key tools

File Extensions:

• .jks

What JKS Stores

• Private keys
  
• SSL certificates
  
• Trusted CA certificates

Where JKS is used:

•  Apache tomcat
• JBoss/WildFly
• Spring Boot applications
• Java-based middleware

Management of storage and the permissions is very important where SSL/TLS certificates are stored, read our guide on Best Disk & Storage Commands in the Linux.

Quick Comparison Table

OpenSSL

OpenSSL is a free and open-source tool capable of performing any number of SSL certificate conversion-related tasks. It is most commonly used to convert SSL certificates to different formats. OpenSSL is a command-line tool used to generate keys, troubleshoot TLS connections, other than certificate conversions. The latest version of the OpenSSL can be downloaded from here.

SSL Certificates Conversion with OpenSSL

1.  How to Convert PEM to DER

#openssl x509 -in certificate.pem -outform DER -out certificate.der

2. How to Convert DER to PEM

#openssl x509 -in certificate.der -inform DER -outform PEM -out certificate.pem

3. How to Convert PEM to PFX (PKCS12)

This command is commonly used when migrating the SSL certificates from the Linux servers (PEM) to the Windows servers like IIS (PFX format).

#openssl pkcs12 -export -in certificate.crt -inkey private.key -certfile ca_bundle.crt -out certificate.pfx

4. How to Convert PFX to PEM

#openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

5. How to Convert PEM to P7B

#openssl crl2pkcs7 -nocrl -certfile certificate.crt -certfile ca_bundle.crt -out certificate.p7b

6. How to Convert P7B to PEM

#openssl pkcs7 -print_certs -in certificate.p7b -out certificate.pem

7. The Conversion of the PEM to Java Key Store (JKS)

#keytool -importcert -alias sslcert -file certificate.pem -keystore keystore.jks

The SSl Certificate formats based on the platform

Improving CLI workflow while working with the OpenSSL and certificate commands, read our guide on10 Ways to Clear Bash Command Line History in Linux.

SSL Conversion Errors & Fixes

1. Format is Wrong error

Cause:

·       Wrong format is using e.g., using DER instead of the PEM

·       Incorrect file extension

·       Mixing the certificate types like P7B with PFX

Fix:

·       Identify the current format

·       Convert to correct format

2. Missing private key

Cause:

·       The private key is not available with the certificate

·       With PKCS7 (.p7b) that does not have the private key

Fix:

·       Ensure you have the correct private key

·       Verify key matches with the certificate

·       Both outputs must be matched

·       If missing then the CSR + private key of server must be regenerated

3. Incorrect password

Cause:

·       Wrong password for .pfx / .p12 file

·       Encrypted private key

Fix:

·       Verify password while extracting

·       If password is forgotten and cannot be recovered then Re-export or reissue certificate

4.  Unable to load certificate

Cause:

·       Wrong file path

·       Corrupted certificate

·       Wrong format (binary vs text)

·       Missing BEGIN/END headers in PEM

Fix:

·       Check if file exists

·       validate the certificate

·       fix PEM format

·       convert if the format is wrong

Most of the SSL conversion errors occur due to the incorrect formats, missing private keys or wrong passwords. Before running the OpenSSL commands always verify the certificate components.

SSL Certificate Best Practices

•  Secure private keys with a high level of access control
• Expiring certificates should be renewed
• Renew certificates before expiration
• Always use a complete certificates chain
• Store backups securely

Frequently Asked Questions (FAQs)

1.  What is an SSL/TLS certificates?

SSL/TLS certificate is a digital certificate, which codes the information between a browser of the user and a web server. It provides a safe way of communication, checks the identity of servers and secures the sensitive data like the login information and payment data, etc.

2. Why shall we require the conversion of the SSL certificates?

The SSL certificates conversion is required when the format of the certificate issued by a Certificate Authority (CA) is not compatible with the server or application. Apache HTTP Server works with the PEM format and Microsoft IIS with the PFX format.

3. What tool is used for an SSL certificate conversion in the Linux?

The most commonly used tool is the OpenSSL. It allows you to convert the certificates between formats like PEM, DER, PFX and P7B, as well as generate keys and troubleshoot the SSL issues.

4. How PEM certificate is converted into the PFX?

To convert a PEM certificate into the PFX This command is used:

openssl pkcs12 -export -in certificate.crt -inkey private.key -certfile ca_bundle.crt -out certificate.pfx

5. Which SSL format is best for the Linux servers?

PEM format is best for the Linux based servers like:

•  Nginx
• Apache HTTP Server

📌 Related Articles

• How to Secure SSH Access on Your Linux Server – Enhance server security alongside SSL/TLS deployment
• Linux Network Troubleshooting Commands – Learn essential commands to diagnose network issues that may affect SSL/TLS connections and website accessibility
• Best Commands to Check System Information in Linux – Quickly check CPU, memory, and system configuration to ensure your server is ready for SSL certificate deployment
• Best Disk & Storage Commands in Linux – Manage storage and file permissions efficiently where SSL/TLS certificates are stored on your server

Conclusion

Demonstrating the types of the SSL certificates and how they can be converted in the Linux is an essential skill of the system administrators, DevOps engineers and hosting professionals. This guide includes all the steps required to implement the HTTPS, starting with the selection of the appropriate type of the SSL certificate (DV, OV, EV), up to the actual location of the conversion of the SSL certificate with the help of OpenSSL.

With PEM to PFX conversion, DER to PEM conversion, and Java Key Store SSL certificates well under control, you are guaranteed to be able to handle the Apache, Nginx, IIS, cloud and Java servers and platforms with ease and anonymity.

If you found this guide is helpful then explore the more Linux tutorials on the Seeklinux to master the system administration. Your feedback and comments are always be appreciated.