Skip to content

SSL Certificate File Formats

SSL certificates and cryptographic keys are stored in a variety of file formats, each serving different purposes and compatible with specific systems or platforms. The most common formats include PEM, DER, PKCS#7, and PKCS#12^[600-developer-tools-security-security-file-extension-name.md].

Common Formats

PEM (Privacy-Enhanced Mail)

PEM is the most widely used format for SSL certificates. It is typically a Base64 encoded ASCII file containing delimiters such as "BEGIN CERTIFICATE/END CERTIFICATE".^[600-developer-tools-security-security-file-extension-name.md]

  • Extensions: Common extensions include .pem, .crt, .cer, and .key.^[600-developer-tools-security-security-file-extension-name.md]
  • Usage: It is the standard format for servers like Apache, which generally expect certificates and private keys to be stored in separate files.^[600-developer-tools-security-security-file-extension-name.md]

DER (Distinguished Encoding Rules)

DER represents the binary form of a certificate. Unlike PEM, it does not contain ASCII headers or footers.^[600-developer-tools-security-security-file-extension-name.md]

  • Extensions: .der and .cer.^[600-developer-tools-security-security-file-extension-name.md]
  • Usage: This format is typically used in Java platforms.^[600-developer-tools-security-security-file-extension-name.md]

PKCS#7 / P7B

The PKCS#7 (or P7B) format is stored in Base64 ASCII format.^[600-developer-tools-security-security-file-extension-name.md]

  • Extensions: .p7b and .p7c.^[600-developer-tools-security-security-file-extension-name.md]
  • Content: These files only contain certificates and chain certificates (Intermediate CAs); they do not include the private key.^[600-developer-tools-security-security-file-extension-name.md]
  • Usage: It is commonly supported by Microsoft Windows and Java Tomcat.^[600-developer-tools-security-security-file-extension-name.md]

PKCS#12 / PFX / P12

PKCS#12 is a binary format used to store the server certificate, intermediate certificates, and the private key in a single, encryptable file.^[600-developer-tools-security-security-file-extension-name.md]

  • Extensions: .pfx and .p12.^[600-developer-tools-security-security-file-extension-name.md]
  • Content: It acts as a container that includes the public certificate and the associated private key.^[600-developer-tools-security-security-file-extension-name.md]
  • Usage: This format is frequently used on Windows machines to import and export certificates.^[600-developer-tools-security-security-file-extension-name.md]

Format Conversion and Management

Converting PKCS#12 to PEM

Because Windows tools often generate certificates in the PKCS#12 format (.pfx), while Linux environments typically prefer PEM, conversion is often necessary.^[600-developer-tools-security-security-file-extension-name.md]

To export the public key (certificate) from a .pfx file to a .crt (PEM) file: 

[OpenSSL](<./openssl.md>) pkcs12 -in localhost.pfx -out localhost.crt -nokeys -nodes
^[600-developer-tools-security-security-file-extension-name.md]

Creating a PKCS#12 File

To combine a private key (server.key) and a certificate (server.crt) into a single PKCS#12 file (server.pfx), the following command is used. Note that this process requires setting a password to protect the file.^[600-developer-tools-security-security-file-extension-name.md]

[OpenSSL](<./openssl.md>) pkcs12 -export -in server.crt -inkey server.key -out server.pfx
^[600-developer-tools-security-security-file-extension-name.md]

  • [[SSL]]
  • [[Public-key cryptography]]
  • OpenSSL
  • [[Certificate authority]]

Sources