SSL Certificates – Standards, formats and file extensions: PEM, CER, CRT, DER, P7B, PFX, P12 A useful overview of the most common formats and file extensions for SSL & TLS Certificates based upon the X.509 v3 standard

Certificati SSL - Standard, formati ed estensioni principali: PEM, CER, CRT, DER, P7B, PFX, P12

In this article, part of our SSL Certificates tutorial series, we’ll talk about the most used formats and file extensions that you might stumble upon while working with SSL certificate on different operating systems.

Before going into the descriptions of each format we will spend a few words on the X.509 v3 standard, which is the foundation for the definitions of all the formats we’ll talk about here.


X.509 is the name given to an ITU-T standard for public-key infrastructures (PKI): presented for the first time in 1998, it was used in the following years to define a set of standard formats for most public-key certificates and of the relative revocation lists (CRL, from Certificate Revocation List). The term Certificate X.509 is used nowadays to refer to the third revision of the standard (X.509 v3), which is detailed in RFC 5280.

Below is a list of the most common formats defined through the X.509 v3 standard (and related extensions).

PEM (.cer .crt .pem .key)

This is the most common format used for distributing certificates. In most cases these are ASCII files that contain one or more certificates, with or without private key, encoded in Base64 format and enclosed within the   and   descriptor blocks. The private key, if present, is also enclosed within the    and   descriptor blocks. Despite the format does indeed support the certificates and the private key together in a single file, most servers (Apache, NGINX) require the private key to be stored in a separate key file for security reasons.

The most commonly used file extensions for this format are .CER, .CRT, .PEM and .KEY (the latter being used for the private key only).

DER (.der .cer)

This is the “binary” version of the PEM certificate described above: the DER format can also contain a single certificate or multiple certificates, with or without a private key. This is a format used mainly by Java and is not present on other platforms.

The extensions commonly used for this format are .DER and .CER. To distinguish a .CER in PEM format from a .CER in .DER format, open the file with a text editor and watch if it’s an ASCII file or not.

PKCS#7 (.p7b .p7c)

This is an ASCII formatted file encoded in Base64, mainly used by Microsoft Windows and Java Tomcat.

The extensions commonly used for this format are .P7B and .P7C.

PKCS#12 (.pfx .p12)

Binary format that contains the certificate, the set of intermediate certificates (if any) and the private key in a single encrypted and password protected file. It is mainly used within Windows systems and infrastructures to import and export certificates and private keys between the various services and applications (Firewall, Proxy, etc.).

The extensions commonly used for this format are .PFX and .P12.


That’s it, at least for the time being: we hope that this overview will be useful for those who need some info on SSL certificates and their formats. If you need additional guidance, for example to convert your certificate files between the various formats listed above using the OpenSSL tool or via online tools, we strongly recommend to check out this other post.

See you next time!


About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.