How To Convert Certificates from .pem to .der format

Convert .pem certificates to .der

There are two main methods for encoding certificate data – “.pem” and “.der”.

  • DER = Binary encoding for certificate data
  • PEM = The base64 encoding of the DER-encoded certificate, with a header and footer lines added.

To use certificates with a ESP8266 or NodeMCU, we need to convert them from .pem to .der format. ESP8266 does not understand base64 encoding.

This tutorial is part of the series to connect NodeMCU with AWS IoT Core. In the previous post we saw how to Create a “Thing” in AWS IoT and downloaded the certificates

We will use a tool called OpenSSL to do the conversions

Installing OpenSSL

We first need to install OpenSSL. It is an opensource tool that provides an open-source implementation of SSL and TLS protocols. Moreover, it helps convert the certificate files into the most popular X.509 v3 based formats.

In this particular tutorial we will use it to convert the .pem files to .DER.

OpenSSL on Linux

If you’re using Linux, you can install OpenSSL with the following YUM console command:

In case distribution is based on APT instead of YUM, you can use the following command instead:

OpenSSL on Windows

If you’re using Windows, you can install one of the many OpenSSL open-source implementations. I would recommend Win32 OpenSSL by Shining Light Production, available as light or full version, both compiled in x86 (32-bit) and x64 (64-bit) modes. You can install any of these versions, as long as your system supports them.

IMPORTANT: OpenSSL for Windows requires the Visual C++ 2008 Redistributables runtime in order to work.

OpenSSL is a console application, meaning that we’ll use it from the command-line.

After installing, it’s important to check that the installation folder (C:\Program Files\installed_softs\OpenSSL-Win64\bin in my case) has been added to the system PATH (Control Panel > SystemAdvanced Environment Variables). If  not, you can add it to the systems path to avoid typing the complete path of the executable.

In windows, the OpenSSL tool is also visible in the start menu. So, you can click on the start menu and search for openSSL. Then click on “Win64 OpenSSL Command Prompt” or a similar name.

Now open the folder where all the certificates are downloaded. The AWS certificate will be something like this “xxxxxxxxxx-certificate.pem.crt.txt” So now just rename that document to “xxxxxxxxxx-certificate.pem.crt”.

Convert the Certificates from .pem to .der

The following commands will convert the downloaded device certificate files to the correct format for this script.

> openssl x509 -in xxxxxxxxxx-certificate.pem.crt -out cert.der -outform DER 
> openssl rsa -in xxxxxxxxxx-private.pem.key -out private.der -outform DER
> openssl x509 -in AmazonRootCA1.pem -out ca.der -outform DER

Replace “xxxxxxxxxx” with your certificate name and AmazonRootCA1 with the name of the Amazon Root CA file.

Example:

> openssl x509 -in 3c675stf21-certificate.pem.crt -out cert.der -outform DER
> openssl rsa -in 3c675stf21-private.pem.key -out private.der -outform DER
> openssl x509 -in AWSRootCA.pem -out ca.der -outform DER

3c675stf21-certificate.pem.crt – Thing certificate
3c675stf21-private.pem.key – my private key
AWSRootCA.pem is the name of the Amazon Root CA certificate

After executing the commands, the certificates will be placed in the same folder with a .der extension. We can now install the certificates and key in the NodeMCU.

You can use this method to convert other certificates also, not necessarily only AWS certificates.

In the next post, we will Connect the NodeMCU to the AWS IoT Core using these certificates

Sharing is Caring!!

Leave a Reply

Your email address will not be published. Required fields are marked *