Like so many other aspects of certificates, there are various options and standards (both formal and informal) associated with certificate files.
File Formats
There are four main encodings/internal formats for certificate files. Note these are encodings, not file naming conventions:
Format
Description
DER
Distinguished Encoding Rules (DER) format. This is a binary format used to represent a certificate. Typically used to describe just one certificate, and cannot include a private key.
PEM
Privacy Enhanced Mail (PEM) is a Base 64 (that is, ASCII text) encoding of DER:
The certificate is enclosed between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- statements.
The file contain a private key enclosed between -----BEGIN PRIVATE KEY----- and -----END BEGIN PRIVATE KEY----- statements. More than one certificate can be included.
PEM certificates can be identified by viewing the file in a text editor.
This is an unsecure format and not recommended for private key use unless it is protected with a password.
PKCS#12
Public Key Cryptography Standard (PKCS) #12. A secure, binary format, encrypted with a password. Typically used to describe one certificate, and its associated private key, but can also include other certificates such as the signing certificate(s). This is the recommended format for private key use.
PKCS#7
A Base 64 (that is, ASCII text) encoding defined by RFC 2315. One or more certificates are enclosed between –––––BEGIN PKCS––––– and –––––END PKCS7––––– statements. It can contain only Certificates & Chain certificates but not the private key. Can be identified by viewing the file in a text editor.
Filename Extensions
There are many common filename extensions in use:
Format
Description
.crt
Can be DER or PEM. Typical extension used by Unix/Android systems' public certificates files in DER format.
.cer
Can be DER or PEM. Typical extension used by Microsoft/Java systems' public certificates files in PEM format.
.pem
Should only be PEM encoded
.der
Should only be DER encoded
.p12
Should only be in PKCS#12 format. Typical extension used by Unix/Android systems' identity certificates/private key pair files. Same format as .pfx hence can be simply renamed.
.pfx
Should only be in PKCS#12 format. Typical extension used by Microsoft systems' identity certificates/private key pair files. Same format as .p12 hence can be simply renamed.
.pb7
Should only be in RFC 2315 format. Typical extension used by Microsoft and Java systems for certificate chains.
3rd party tools such as OpenSSL and the Windows Management Console Certificate snap-in can be used to convert between the various formats, care should be taken not to expose any private key. See Creating a CSR using the OpenSSL Package for information on OpenSSL format conversion.
