DER Certificate Format Explained
DER (Distinguished Encoding Rules) is the binary encoding format for X.509 certificates. Learn how DER differs from PEM and when each format is used.
DER (Distinguished Encoding Rules) is the binary encoding format for X.509 certificates, defined in ITU-T Recommendation X.690. A DER file contains the raw binary ASN.1 encoding of the certificate — it's the canonical form from which all other certificate formats (PEM, PKCS#12) are derived.
DER vs. PEM
DER and PEM contain the same information — the difference is encoding:
- DER: Binary. Not human-readable. Typically has
.deror.cerextension on Windows. - PEM: Base64-encoded DER with text headers. Text-safe, can be embedded in config files, emails, and copied into browser forms.
To go from DER to PEM: base64-encode the binary and add the -----BEGIN CERTIFICATE----- / -----END CERTIFICATE----- headers.
When DER Is Used
- Windows CryptoAPI traditionally uses DER-encoded
.cerfiles - Java applications use DER in
KeyStoreoperations - IoT and embedded systems often use DER to save space (no base64 overhead)
- PKCS#12 (
.p12/.pfx) files bundle DER-encoded certs and private keys
Converting Between DER and PEM
PEM to DER:
openssl x509 -in cert.pem -outform DER -out cert.derDER to PEM:
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pemFingerprints Are Computed From DER
When the decoder shows a SHA-256 or SHA-1 fingerprint, it computes the hash over the DER binary, not the PEM text. This is why you get the same fingerprint regardless of whether you're looking at the PEM or DER version of the same certificate — they encode the same bytes, just represented differently.
Ready to inspect a certificate?
Use the free decoder to decode any PEM certificate and see all fields including der certificate format explained.
Decode a Certificate