Skip to main content

What is the difference between the formats "DER encoded" and "Base64 encoded" when exporting a certificate?

I am often asked what the difference between the following certificate export options are:


The first option exports the certifcate encoded in the format Distinguished Encoding Rules, which is a binary format.

The second option exports the certificate encoded with Base64, which is an encoding method that converts binary data to plain ASCII text. This is usually how binary attachments are encoded in mail messages, but you never see this since the mail client automatically converts it back to its original data type before you see the Base64 text included in the mail message.

Certificates exported with the two different options looks and acts the same on the file level:


The file extention *.cer is interchangeable with *.crt.

Note: DER-encoded certificates somtimes have the file extension *.der and Base64 encoded certificates sometimes have the file extention *.pem, usually in non Windows environment.

If you open them in a texteditor you see the difference:



In some remote access scenarios its not possible to copy binary data (such as files), but you can copy/transfer plain text. Its pretty obvious that Base64 is a better choice in these cases.

But what if you only have a DER encoded version of the certificate available? Well, you can either export it again and choose the other format OR you can use certutil:

To convert from binary to Base64:

certutil -encode filename.cer newfilename.cer

To convert from Base64 to binary:

certutil -decode filename.cer newfilename.cer

Läs hela artikeln