What is the difference between PEM and DER?

DER is the binary ASN.1 encoding of a certificate or key. PEM wraps that same DER bytes in base64 and adds -----BEGIN/END----- header lines, making it ASCII-safe to paste and email. A .pem file is just base64-encoded DER.

Are .crt, .cer and .pem the same thing?

Often, but not always. .crt and .cer hold a certificate and may be either PEM or DER encoded; .pem signals PEM (base64) text and can hold a certificate, a key, or several concatenated. Check the first bytes: -----BEGIN means PEM.

What is inside a .p12 / .pfx file?

A PKCS#12 bundle: usually a private key plus its certificate and any chain certificates, all in one password-protected binary file. It is the portable format for moving an identity (key + cert) between systems.

How do .jks keystores differ?

JKS (Java KeyStore) is a proprietary Java format managed with keytool, holding keys and certificates under aliases with a password. Modern Java prefers the standard PKCS#12 (.p12) keystore type over the legacy JKS format.

Does this tool read my files?

No. It is a static, browser-rendered reference table. It does not accept uploads, makes no network calls and stores nothing.

PEM/DER File Types Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

Why every cert file looks different

.pem, .crt, .key, .csr, .p12, .jks — the same underlying objects (certificates and keys) ship under a confusing pile of extensions and two encodings. This reference explains what each extension actually holds, whether it is text or binary, and the one command that dumps it so you never guess again.

How it works

Two encodings underlie nearly everything:

DER — the raw binary ASN.1 encoding.
PEM — that same DER, base64-encoded, wrapped in -----BEGIN ...----- / -----END ...----- lines so it is safe to paste into text.

Extensions are a hint, not a guarantee. The reliable test is the first bytes:

-----BEGIN CERTIFICATE-----   → PEM (base64 text)
0x30 0x82 ...                 → DER (binary)

Bundle formats package multiple objects: PKCS#12 (.p12/.pfx) holds a key plus its certificate chain in one password-protected binary file, while JKS (.jks) is Java’s keystore managed by keytool. PEM files can also simply concatenate several certificates to form a chain.

Tips and notes

Identify format by content, not extension: look for the -----BEGIN marker.
Convert with OpenSSL: openssl x509 -in cert.der -inform der -out cert.pem.
Keep private keys (.key) permission-locked and never commit them.
Prefer PKCS#12 (.p12) over legacy JKS for new Java keystores.