Skip to content

SSL/TLS Certificate Formats

SSL/TLS certificates are distributed and utilized in various file formats, depending on the server environment and the specific requirements of the Certificate Authority (CA). The most common standard for storing and transmitting these certificates is the PEM (Privacy-Enhanced Mail) format. ^[400-devops-02-os-and-linux-basics-network-free-domain.md]

Common File Extensions

Several file extensions indicate specific contents within the PEM ecosystem:

  • .crt: Typically denotes the end-entity certificate file (e.g., certificate.crt). ^[400-devops-02-os-and-linux-basics-network-free-domain.md]
  • .key: Stores the private key associated with the certificate (e.g., private.key). ^[400-devops-02-os-and-linux-basics-network-free-domain.md]
  • .csr: Represents a Certificate Signing Request, used to generate a certificate from a CA.
  • .pem: A generic container that can hold the certificate, private key, or CA chains.

Certificate Chain Files

A complete SSL configuration often requires a Certificate Chain to establish trust up to a root CA. This is frequently referred to as a CA bundle.

  • ca_bundle.crt: This file typically contains the intermediate certificates. ^[400-devops-02-os-and-linux-basics-network-free-domain.md]

  • full_chain.crt: A composite file often created by merging the domain's certificate and the CA bundle. In Linux environments, this is commonly achieved using the cat command: ^[400-devops-02-os-and-linux-basics-network-free-domain.md]

    cat certificate.crt ca_bundle.crt > full_chain.crt

PKCS#12 Format (.pfx)

While PEM files are text-based (Base64), the PKCS#12 format is used to store cryptographic objects in a single binary file.

  • .pfx / .p12: An archived file format that securely bundles the server certificate, private key, and intermediate CA chain. ^[400-devops-02-os-and-linux-basics-network-free-domain.md]
  • This format is standard for many Windows servers (such as IIS or Tomcat) and requires a password for export/import.

  • A .pfx file can be generated from component files using openssl: ^[400-devops-02-os-and-linux-basics-network-free-domain.md]

    [OpenSSL](<./openssl.md>) pkcs12 -export -out tls.pfx -inkey private.key -in certificate.crt -certfile ca_bundle.crt

Sources

^[400-devops-02-os-and-linux-basics-network-free-domain.md]