Open-The-File.com

Find how to open any file type

How to open .CER files on Mac

To open .CER files on Mac, double-click the .cer file to open it in Keychain Access (or import via Keychain Access) and view certificate details.

Step-by-step instructions

  1. Double-click the .cer file to open it in Keychain Access (or import via Keychain Access) and view certificate details.
  2. Choose the appropriate keychain (for example, login or System) when importing if you intend to trust it system-wide.
  3. If the file fails to import, use OpenSSL to detect whether it is DER or PEM and convert it before importing.

Alternative methods

  • Open .CER in a browser-based viewer if desktop apps fail.
  • Try opening .CER on Mac with a secondary app to rule out app-specific issues.
  • Convert .CER only with trusted tools when direct opening is not possible.

Common issues

The .CER file won’t open or import

A common cause is a mismatch between the file’s actual encoding (DER vs. PEM/Base64) and what the viewer/importer expects, or the file is not a certificate at all.

  1. Check whether the file is PEM (it often contains a header like "BEGIN CERTIFICATE") or DER (binary).
  2. Use OpenSSL to test and display it: "openssl x509 -in file.cer -text -noout" and retry with "-inform DER" if needed.
  3. If necessary, convert to the expected form using OpenSSL and then try importing again.

It imports, but the certificate is not trusted / shows warnings

Trust depends on whether the certificate chains to a trusted CA and whether it is appropriate to add to a trust store (for example, end-entity certificates should not usually be added as trusted roots).

  1. Verify the Issuer and whether the certificate chains to a known, trusted CA; review fingerprints and validity dates before trusting it.
  2. Do not add an end-entity certificate as a trusted root; only install CA certificates when you have an explicit, verified reason.
  3. If you are missing intermediate certificates, obtain them from the legitimate administrator/provider and install as instructed.

The certificate is expired or not yet valid

X.509 certificates have validity periods; an expired or not-yet-valid certificate will be rejected by many systems and applications.

  1. Check the Not Before/Not After fields in the certificate viewer or via OpenSSL output.
  2. Request or download an updated certificate from the legitimate issuer/administrator.
  3. Confirm your device clock is correct before diagnosing further.

You expected a private key, but the .CER has only a public certificate

.CER commonly contains only the public certificate. Private keys are typically stored separately (often in other formats) and should not be shared.

  1. If you need to deploy a certificate plus private key, obtain it through the correct secure process (do not ask for or email private keys).
  2. Use OpenSSL to confirm content: a certificate will parse with "openssl x509"; a private key would require key-specific commands and is usually not in a .cer.
  3. If you received a certificate from a service (for example, a platform account portal), follow that platform’s documented install steps.

Security note

A .CER file is typically a certificate (public information), but importing it into your trust store can change what your device considers “trusted.” Only install certificates when you fully understand who issued them and why you need them.

Back to .CER extension page