Convert .pem file into .crt using openssl

Question

I want to be able to send certificates in my API requests.

Please see - Add certificate on request with RestSharp

As shown in that post. I need to convert .crt and .key to .pfx , however my current certificates are .pem, so I thought I will need to convert them into .crt and .key first and then use the openssl comand used in that post to convert them into .pfx and then carry on with the rest of the solution.

My certificates are -

CRT file - C:\Users\JohnSmith\Downloads\certsh\client-crt.pem

Key file - C:\Users\JohnSmith\Downloads\certsh\client-key.pem

I was able to convert the Key file to a .key , but when trying to convert the CRT file I am getting this error.

unable to load certificate 13668:error:0906D06C:PEM routines:PEM_read_bio:no start line:.\crypto\pem\pem_lib.c:697:Expecting: TRUSTED CERTIFICATE error in x509

I am using this command to try and convert the .pem to .crt

x509 -outform der -in client-csr.pem -out client.crt

Answer 1

The extension .pem indicates that the format of the file is PEM (Privacy-Enhanced Mail) (RFC 7468). The content of the file may be a certificate, a private key, a public key, or something else. If you open a PEM file with a text editor, your will see -----BEGIN ?????----- at the top.

The extension .crt implies that the content of the file is a certificate. However, the extension does not tell anything about the file format. The format may be PEM, DER (Distinguished Encoding Rules) (X.690), or something else. If the file contains -----BEGIN CERTIFICATE-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.

The extension .key implies that the content of the file is a private key. However, the extension does not tell anything about the file format. The format may be PEM, DER, or something else. If the file contains -----BEGIN PRIVATE KEY-----, the format is PEM. On the other hand, if the file contains binary data, it is likely that the format is DER.

The string csr, which is a part of the file name client-csr.pem, implies that the content of the file is CSR (Certificate Signing Request). Note that CSR is NOT a certificate. It seems you are trying to convert the file format of client-csr.pem from PEM to DER, but the CSR will never become a certificate by converting the file format. What you should give to the openssl command is not client-csr.pem but client-crt.pem, I think.

Understanding relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468) will improve the quality of your questions and help you avoid wasting time. I hope that diagrams below excerpted from "Illustrated X.509 Certificate" can help you.