A brief overview of most common container formats for SSL certificates

A quick note, perhaps more useful for me than for readers

SSL certificates using a lot of different container formats.

Let’s try to clear this up:

  • .csr : A Certificate Signing Request. Some applications can generate these for submission to certificate-authorities.
    It includes some/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the public key of the certificate to get signed. 
    These get signed by the CA and a certificate is returned. The returned certificate is the public certificate (which includes the public key but not the private key), which itself can be in a couple of formats.
  • .pem : A container format that may include just the public certificate , or may include an entire certificate chain including public key, private key, and root certificates.
    The name is from Privacy Enhanced Mail (PEM), a base64 translation of the x509 ASN.1 keys.
  • .key : A PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.
  • .pkcs12 .pfx .p12 : A passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Originally defined by RSA in the Public-Key Cryptography Standards, the “12” variant was enhanced by Microsoft.
  • .der : A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file.
  • .cert .cer .crt : A .pem formatted file with a different extension.
  • .p7b : A format used by windows for certificate interchange, defined in RFC 2315. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.
  • .crl : A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration.

In brief, there are four different ways to present certificates and their components:

  • PEM : Governed by RFCs, it’s used preferentially by open-source software. It can have a variety of extensions (.pem.key.cer.cert)
  • PKCS7 : An open standard used by Java and supported by Windows. Does not contain private key material.
  • PKCS12 : A private standard that provides enhanced security versus the plain-text PEM format. 
    This can contain private key material. It’s used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.
  • DER : The parent format of PEM. Not really used outside of Windows.


This site uses Akismet to reduce spam. Learn how your comment data is processed.