Last updated: Oct 26, 2025
When working with SSL/TLS certificates, it’s common to come across different certificate file extensions such as .cer and .crt. At first glance, these may look like two different certificate types, but in reality, CER and CRT are not different certificate formats — they are just different file extensions used by different operating systems and server environments. The actual difference lies not in the extension, but in the encoding format inside the file (PEM vs DER).
Windows typically uses .cer, while Linux-based servers often use .crt, but both files can contain the same X.509 certificate data. In fact, you can rename a .cer to .crt, and the certificate will still work as long as the content is in the expected encoding format. The key to working with these certificates is understanding whether the file is Base64 encoded (PEM) or binary encoded (DER) — because that determines how the certificate is parsed by browsers, servers, and tools like OpenSSL.
In this guide, we’ll clarify:
-
What CER vs CRT actually means
-
How these extensions relate to PEM and DER formats
-
When each type is used in Windows vs Linux environments
-
How to convert between CER and CRT using OpenSSL
-
Real-world deployment scenarios where conversion is required
By the end, you’ll know exactly when to use .cer vs .crt, what’s actually inside these files, and how to convert them properly depending on your web server, load balancer, or certificate management workflow.
What CER and CRT Actually Represent
A common misconception is that .cer and .crt are two different types of certificates. In reality, both file extensions contain the same kind of X.509 certificate — the difference is mostly convention, not technology. The actual certificate format is determined by how the data is encoded, not by the file extension.
Both .cer and .crt files can contain:
-
A public certificate
-
A certificate chain (intermediate + root)
-
Base64 PEM or binary DER encoding
The extension is often just a hint to the operating system or web server about how the file should be treated or displayed.
CER (.cer)
-
Commonly used in Windows ecosystems
-
Can be PEM or DER encoded
-
Often double-clickable to view in Windows certificate viewer
-
Used for importing into Windows certificate store
CRT (.crt)
-
Commonly used in Linux / Unix / Apache / Nginx environments
-
Typically PEM (Base64) encoded
-
Works with OpenSSL, Apache, Nginx, HAProxy, Traefik, etc.
-
Used frequently in web server TLS configuration
So if .cer and .crt contain the same X.509 certificate, what is the real difference?
The real difference is not CER vs CRT — it is PEM vs DER, which I will explain next.
PEM vs DER (The Real Difference Behind CER and CRT)
The real difference isn’t the file extension — it’s the encoding format inside the file. X.509 certificates can be stored in either PEM (Base64 text) or DER (binary) format. Both .cer and .crt can be either PEM or DER, which is why simply looking at the file extension does not tell you the full story.
PEM Format (Base64 Encoded)
-
Human-readable (text-based)
-
Begins with
-----BEGIN CERTIFICATE----- -
Most common for web servers (Nginx, Apache, HAProxy)
-
Typically used in Linux environments
-
Usually stored as
.crt,.cer, or.pem
DER Format (Binary Encoded)
-
Machine-readable (binary)
-
No
BEGIN/ENDheaders -
Used in Windows systems and Java keystore environments
-
Often stored as
.ceror.der
Quick Way to Identify the Format
| How to check | What it means |
|---|---|
If the file opens in a text editor and you see -----BEGIN CERTIFICATE----- |
It is PEM |
| If the file looks like binary / unreadable text | It is DER |
Summary
| Certificate Property | PEM Format | DER Format |
|---|---|---|
| Encoding | Base64 text | Binary |
| Readable by humans | Yes | No |
| Common extension | .pem, .crt, .cer | .cer, .der |
| Common usage | Linux/web servers | Windows/Java systems |
So .cer and .crt are just container names — PEM vs DER is what actually matters.
When to Use CER vs CRT (Windows vs Linux vs Server Environments)
In practice, the choice between .cer and .crt is mostly determined by the operating system or the type of software consuming the certificate. The certificate content is the same; only the expected filename and encoding format differ depending on the ecosystem.
When to Use .cer
Use .cer when working with environments that integrate with the Windows certificate store or tools that expect DER encoding:
-
Importing into Windows MMC Certificate Store
-
IIS (Internet Information Services) certificate management
-
Active Directory / Group Policy deployments
-
Java Keystore in DER format
-
Windows applications validating certificates via OS trust
.cer files are frequently DER-encoded, but can also be PEM depending on how they were exported.
When to Use .crt
Use .crt for web servers and Linux-based infrastructure, where PEM (Base64) is the dominant standard:
-
Nginx, Apache, HAProxy, Caddy, Traefik
-
Load balancers or reverse proxies
-
Linux-based PKI or OpenSSL tooling
-
Kubernetes ingress controllers
-
Dockerized apps mounting PEM certs
.crt files are typically PEM-encoded (BEGIN CERTIFICATE) and are designed to work natively with OpenSSL and Unix-style server stacks.
Summary Table
| Environment | Preferred Extension | Typical Encoding |
|---|---|---|
| Windows / IIS / MMC | .cer |
DER or PEM |
| Linux / Web servers | .crt |
PEM |
| Java keystore | .cer (DER) |
DER |
| Reverse proxies (Nginx/Apache) | .crt |
PEM |
How to Convert CER to CRT (and Vice Versa)
Because .cer and .crt are just filenames, converting between them is often as simple as renaming the file extension — but only if the encoding is already correct. If the format also needs to change (PEM ↔ DER), then OpenSSL conversion is required.
Before converting, always check whether the file is already PEM or DER by opening it in a text editor:
-
If you see
-----BEGIN CERTIFICATE-----→ PEM → just rename extension -
If binary → DER → convert using OpenSSL
Case 1: CER and CRT Already in PEM Format (Simple Rename)
This works because the internal encoding is already PEM.
Case 2: DER (.cer) → PEM (.crt)
This is required when Windows-exported certificates (binary) are being used on Linux/OpenSSL-based servers.
Case 3: PEM (.crt) → DER (.cer)
Required when importing a Linux certificate into Windows MMC or Java keystore systems expecting DER.
Case 4: Verify Certificate Details After Conversion
This confirms:
-
correct format
-
correct subject & issuer
-
valid dates
-
chain consistency
Conversion Summary Table
| From | To | Command |
|---|---|---|
.cer (DER) |
.crt (PEM) |
openssl x509 -in file.cer -inform DER -out file.crt -outform PEM |
.crt (PEM) |
.cer (DER) |
openssl x509 -in file.crt -inform PEM -out file.cer -outform DER |
.cer (PEM) |
.crt (PEM) |
rename only |
.crt (PEM) |
.cer (PEM) |
rename only |
Real-World Scenarios Where CER ↔ CRT Conversion Is Required
In real deployments, you will often need to convert between .cer and .crt not because the certificate itself is different, but because different systems expect different encodings or filenames. Below are the most common real-world cases where conversion is necessary.
1. Moving a Certificate from Windows (IIS) to Linux (Apache/Nginx)
Windows typically exports certificates as .cer in DER format.
Linux web servers expect .crt in PEM format.
Why conversion is needed:
-
DER → PEM
-
.cer→.crt
This is the most common conversion scenario for migration or multi-platform hosting.
2. Importing a Certificate into Windows Trust Store
If your certificate originated on Linux as .crt (PEM), Windows MMC may not accept it unless it’s DER-encoded.
Why conversion is needed:
-
PEM → DER
-
.crt→.cer
3. Load Balancers Requiring PEM Chains
Some reverse proxies (HAProxy, Traefik, Nginx) require the entire chain (leaf + intermediate) in PEM .crt format. A Windows-exported .cer file may not include intermediates.
Why conversion is needed:
-
Re-bundle into
fullchain.crt -
Ensure PEM format
4. Java / Tomcat / WebLogic Keystores
Java keystores often expect DER for import before converting into .jks or .p12. So .crt → .cer (DER) is required.
Why conversion is needed:
-
Linux-issued PEM doesn’t work directly in Java keystore
-
DER format required for import step
5. CDN / Cloud Providers With Format Restrictions
AWS ELB/ALB, Azure, GCP, and Cloudflare often require PEM format only. If you upload a .cer (DER), it will fail validation.
Why conversion is needed:
-
Binary DER must be converted to PEM
.crt
6. Kubernetes Secrets and Ingress Controllers
Kubernetes TLS secrets require PEM .crt, not .cer.
If a Windows admin provides .cer from an ADCS environment, conversion is required before mounting into the cluster.
Why conversion is needed:
-
DER → PEM
-
.cer→.crt
The extension (
.cervs.crt) rarely matters — the encoding format (PEM vs DER) is what determines whether a certificate works on a given platform.
Frequently Asked Questions (FAQ)
1. Is there any real difference between CER and CRT?
No. .cer and .crt are the same type of X.509 certificate. The difference is only the file extension — .cer is more common in Windows environments, while .crt is more common in Linux-based web servers. The real difference is the encoding format (PEM vs DER), not the extension.
2. Which is more secure: CER or CRT?
Neither is more secure — security depends on the certificate issuer and key strength, not the file extension. Both .cer and .crt can contain the same certificate in either PEM or DER format.
3. How do I know if my CER file is PEM or DER?
Open it in a text editor:
-
If it shows
-----BEGIN CERTIFICATE-----→ PEM (Base64) -
If it is binary/unreadable → DER
4. Can I just rename .cer to .crt?
Yes — but only if it’s already PEM encoded. If the .cer file is DER-encoded, you must convert it using OpenSSL before renaming.
5. When should I use .cer instead of .crt?
Use .cer when importing into Windows certificate store, Java keystore, or enterprise PKI tools. Use .crt for Linux web servers like Nginx, Apache, HAProxy, and Kubernetes.
6. Why do Linux servers require .crt format?
They don’t strictly require the .crt extension, but PEM-encoded certificates are standard in Linux environments and OpenSSL expects PEM by default — .crt simply signals that convention.
7. Can I convert CER to CRT without OpenSSL?
If both are PEM format, yes — renaming is enough. If conversion from DER to PEM is needed, you must use OpenSSL.
8. What is PEM vs DER in simple terms?
-
PEM = Base64 text, readable, starts with
BEGIN CERTIFICATE -
DER = Binary encoding, not human readable
9. Can I combine CER and CRT into a full chain?
Yes — if both are PEM files, they can be concatenated to form fullchain.crt for Nginx/Apache. If DER, convert to PEM first.
10. Does .pem = .crt?
In most Linux servers, yes. .crt is just a PEM certificate with a different extension. .pem is a more general container that can also hold private keys or intermediate chains.
Conclusion
The difference between CER and CRT is not about security, certificate type, or even trust — it’s simply a difference in file extension convention, typically based on operating system and tooling. Both .cer and .crt can contain the exact same X.509 certificate, and both can be either PEM (Base64) or DER (binary) encoded.
The real technical distinction is PEM vs DER, not CER vs CRT. Linux web servers like Nginx and Apache expect PEM certificates (commonly stored as .crt), while Windows and Java environments often distribute certificates as .cer in DER format. That’s why conversion is occasionally required when migrating certificates between platforms.
Once you understand the encoding difference, converting between .cer and .crt is straightforward using OpenSSL, and you can confidently deploy certificates across Windows, Linux, Java-based servers, CDNs, and Kubernetes without compatibility issues.
