Overview
This article explains SSL Certificate and Key file formats. This will be relevant if your company is implementing an external portal.
Service providers may be provided with SSL certificate-related files in any of the following formats.
Most common formats
- .csr This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The format is PKCS10 which is defined in RFC 2986. It includes some or all of these details: subject, organisation, state. It contains the public key of the certificate to get signed. These get signed by the certificate authority and a certificate is returned. The returned certificate is the public certificate (i.e. it includes the public key but not the private key).
- .pem Defined in RFC 1421, RFC 1422, RFC 1423, RFC 1424. This is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files /etc/ssl/certs), or may include an entire certificate chain including public key, private key, and root certificates. It may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.
- .key This is a PEM formatted file containing just the private-key of a specific certificate and is a conventional name and not a standardised one. In the Apache web server software, this frequently resides in /etc/ssl/private. The rights on these files are very important, and some programs will refuse to load these certificates if they are set incorrectly.
- .pkcs12 / .pfx / .p12 Originally defined by RSA in the Public-Key Cryptography Standards, the "12" variant was enhanced by Microsoft. This is a pass worded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. OpenSSL can turn this into a .pem file with both public and private keys: openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes
These formats are less common, but are still in use.
- .der A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem (openssl x509 -inform der -in to-convert.der -out converted.pem). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. For example:
- .cert, .cer, .crt A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.
- .p7b Defined in RFC 2315, this is a format used by windows for certificate interchange. Java understands these natively. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
- .crl A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.
In summary, there are four different ways to present certificates and their components:
- PEM Governed by RFCs, it's used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)
- PKCS7 An open standard used by Java and supported by Windows. Does not contain private key material.
- PKCS12 A private standard that provides enhanced security versus the plain-text PEM format. This can contain private key material. It's used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
- DER The parent format of PEM. It's useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.