.DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension. Proper English usage would be “I have a DER encoded certificate” not “I have a DER certificate”.
.PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
To complete the eap tls logic on the 7921 phone.
You should have a publicly known CA cert ( in some cases Misosoft CA your own which you distribute) installed in the 7921 Phone when you generate the CSR ( request ) from the phone which is generated combining the Public cert information. Now you take that request to the ROOT CA server and he signs you CSR and generates a CERT For the 7921 phone which is expertable. once the generated cert chain is downloaded, Export and install the signed cert for 7921 on the phone. The 7921 phone will not install the certificate if the CSR was issued by any unknown CA.
How does it know that ? , because you had installed or told the phone the root CA cert infomation which you used to generate the CSR so when you get the certified or signed cert from CA during installation will be able to decode it only if the CERT was signed by the CA it knows thus verifying that its the right Cert signed by its right CA authority. This is the beauty of it.