What is X.509?
X.509 is an ITU-T (International Telecommunication Union) standard that defines the format of public key digital certificates. Established in 1988, it is the foundation of security in protocols like TLS/SSL that protect HTTPS web browsing. An X.509 certificate binds an identity (such as a domain name or organization) to a public key through a digital signature issued by a Certificate Authority (CA).
X.509 certificates are stored in various file formats. PEM (Privacy-Enhanced Mail) uses Base64 encoding with -----BEGIN CERTIFICATE----- headers and is the most common format on Linux systems and web servers. DER (Distinguished Encoding Rules) is the binary representation used in Windows environments and embedded devices. PKCS#12/PFX is a password-protected container that stores the certificate along with its private key, used for import into certificate stores and server migrations.
Common Use Cases
- Web server configuration: Convert SSL/TLS certificates between PEM, DER, and PFX formats according to each server's specific requirements (Apache, Nginx, IIS).
- Platform migration: Adapt certificates to the required format when switching hosting providers, migrating to the cloud, or transferring domains between differently configured servers.
- Key store import: Convert certificates to PKCS#12/PFX for import into Windows certificate stores, Java KeyStores (JKS), network devices, or load balancers.
Tips and Best Practices
- PEM is the most universal and readable format; use it as the standard interchange format between systems whenever possible, as it is compatible with almost all platforms.
- PFX/P12 files contain both the certificate and the password-protected private key. Never share your private key unencrypted and use strong passwords to protect these files.
- When converting between formats, verify that the certificate chain is complete (leaf certificate + intermediates + root) to avoid trust errors in the browser or TLS client.
Related Tools
TOTP URI Generator
Generate otpauth:// URIs to configure 2FA in Google Authenticator, Authy and other apps.
Self-Signed Certificate Generator
Generate X.509 self-signed certificates with RSA 2048/4096 bits for development and local testing.
ECC Encryption
Generate P-256, P-384 and P-521 elliptic curve keys, sign and verify messages with ECDSA using Web Crypto API.
Hash Generator
Calculate SHA-256, SHA-512 and MD5 hashes for large files