Table of Contents
In this article, part of our SSL Certificates tutorial series, we’ll talk about the most used formats and file extensions that you might stumble upon while working with SSL certificate on different operating systems.
Before going into the descriptions of each format we will spend a few words on the X.509 v3 standard, which is the foundation for the definitions of all the formats we’ll talk about here.
X.509 is the name given to an ITU-T standard for public-key infrastructures (PKI): presented for the first time in 1998, it was used in the following years to define a set of standard formats for most public-key certificates and of the relative revocation lists (CRL, from Certificate Revocation List). The term Certificate X.509 is used nowadays to refer to the third revision of the standard (X.509 v3), which is detailed in RFC 5280.
Below is a list of the most common formats defined through the X.509 v3 standard (and related extensions).
PEM (.cer .crt .pem .key)
This is the most common format used for distributing certificates. In most cases these are ASCII files that contain one or more certificates, with or without private key, encoded in Base64 format and enclosed within the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- descriptor blocks. The private key, if present, is also enclosed within the -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- descriptor blocks. Despite the format does indeed support the certificates and the private key together in a single file, most servers (Apache, NGINX) require the private key to be stored in a separate key file for security reasons.
The most commonly used file extensions for this format are .CER, .CRT, .PEM and .KEY (the latter being used for the private key only).
DER (.der .cer)
This is the “binary” version of the PEM certificate described above: the DER format can also contain a single certificate or multiple certificates, with or without a private key. This is a format used mainly by Java and is not present on other platforms.
The extensions commonly used for this format are .DER and .CER. To distinguish a .CER in PEM format from a .CER in .DER format, open the file with a text editor and watch if it’s an ASCII file or not.
PKCS#7 (.p7b .p7c)
This is an ASCII formatted file encoded in Base64, mainly used by Microsoft Windows and Java Tomcat.
The extensions commonly used for this format are .P7B and .P7C.
PKCS#12 (.pfx .p12)
Binary format that contains the certificate, the set of intermediate certificates (if any) and the private key in a single encrypted and password protected file. It is mainly used within Windows systems and infrastructures to import and export certificates and private keys between the various services and applications (Firewall, Proxy, etc.).
The extensions commonly used for this format are .PFX and .P12.
That’s it, at least for the time being: we hope that this overview will be useful for those who need some info on SSL certificates and their formats. If you need additional guidance, for example to convert your certificate files between the various formats listed above using the OpenSSL tool or via online tools, we strongly recommend to check out this other post.
See you next time!