I am often asked what the difference between the following certificate export options are:
The first option exports the certifcate encoded in the format Distinguished Encoding Rules, which is a binary format.
The second option exports the certificate encoded with Base64, which is an encoding method that converts binary data to plain ASCII text. This is usually how binary attachments are encoded in mail messages, but you never see this since the mail client automatically converts it back to its original data type before you see the Base64 text included in the mail message.
Certificates exported with the two different options looks and acts the same on the file level:
The file extention *.cer is interchangeable with *.crt.
Note: DER-encoded certificates somtimes have the file extension *.der and Base64 encoded certificates sometimes have the file extention *.pem, usually in non Windows environment.
If you open them in a texteditor you see the difference:
In some remote access scenarios it’s not possible to copy binary data (such as files), but you can copy/transfer plain text. It’s pretty obvious that Base64 is a better choice in these cases.
But what if you only have a DER encoded version of the certificate available? Well, you can either export it again and choose the other format OR you can use certutil:
To convert from binary to Base64:
certutil -encode filename.cer newfilename.cer
To convert from Base64 to binary:
certutil -decode filename.cer newfilename.cer
Great, brief explanation. Thank you!
You’re welcome 🙂
Thanks, nice explanation.
Good explanation.
Thanks for the clear explanation !
You’re welcome. Nice that a 7 years old blog post are still relevant 🙂