Certificate File Formats

There are many file formats used to identify certificates. Here are some of them:
  • Encodings (also used as extensions)
    PEM
    Privacy Enhanced Email (.pem) is a container format (Base64 Encoded x.509)The .pem extension is used for different types of X.509v3 files, which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
    Examples are CA certificate files or an entire certificate chain that includes a public key, a private key, and root certificates.
    The PEM file format is preferred by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, and so on). Refer to Convert between PEM and DER File Formats Using OpenSSL, TLS on Windows: Converting between PEM and DER File Formats for TLS.
    DER
    Distinguished Encoding Rules (.der) is used for binary DER encoded certificates. A PEM file is just a Base64 encoded DER file. OpenSSL can convert these to PEM. Windows sees these as Certificate files. These files can also bear the .cer extension or the .crt extension. Refer to Convert between PEM and DER File Formats Using OpenSSL, TLS on Windows: Converting between PEM and DER File Formats for TLS.
    PKCS12 .P12
    Public-Key Cryptography Standards (.pkcs12) is a file format that has both public and private keys in the file. Private keys are password protected. These files are also known as *.PFX format on Windows. Unlike PEM files, this container is fully encrypted.
  • Common Extensions
    CRT
    The CRT extension is used for certificates. The certificates can be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous.
    Note: The only time CRT and CER can safely be interchanged is when the encoding type can be identical. For example, PEM-encoded CRT is the same as PEM-encoded CER.
    CER
    A CER file is recognized by Windows Explorer as a certificate. It is an alternate form of CRT (Microsoft Convention). You can use MS to convert CRT to CER. You can encode both to DER-encoded CER or to base64[PEM]-encoded CER.
    Note: If you export a certificate using the Windows export wizard, the CER-formatted file is Base64 Encoded x.509 and is the equivalent to PEM.
    Note: The only time CRT and CER can safely be interchanged is when the encoding type can be identical. For example, PEM-encoded CRT is the same as PEM-encoded CER.
    CSR
    This is a Certificate Signing Request. Some applications can generate these for submission to certificate authorities. It includes some of the key details of the requested certificate, such as subject, organization, and state, as well as the public key of the certificate that will be signed. These are signed by the CA and a certificate is returned. The returned certificate is the public certificate. Note that this public certificate can be in a couple of formats.
    KEY
    The KEY extension is used both for public and private PKCS#8 keys. The keys can be encoded as binary DER or as ASCII PEM.
Copyright © SAS Institute Inc. All Rights Reserved.