A SSL Certificate File Extension Explanation: PEM, PKCS7, DER, and PKCS#12 - Comodo SSL Resources (2024)

Loading...

Confused about different SSL formats? Here’s what to know about the most common certificate file extensions

There’s no doubt that the world of SSL certificates can behighly confusing for someone who is new to the industry. One of the reasonsbehind this is the different formats in which SSL certificates are issued. Yes,you read that right: SSL certificates can be issued in various formats such as CER,CRT, DER, PEM, P7B, P7S, PFX, P12, etc. That’s because SSL certificates areissued with different certificate file extensions or in different file formats —such as a PKCS7 certificate or a DER certificate — based on their encoding andthe information they store.

While this may not seem like a big deal, the thing that makes it complicatedis that:

• different certificate authorities issuecertificates in different formats; and
• at the same time, different servers requirecertificates in different formats.

So, if you have an SSL certificate in one certificate file extension format and your server requires it to be in another, you must convert the certificate to the format that your server needs. For example, if you have a PKCS7 file but need it to be a PEM file certificate, you’ll need to convert it before you can use it.

But before you can do that, you must understand each certificate file extension or format to deal with them. So, let’s get more familiar with each of these formats by looking at each certificate file format individually.

PEMFile Certificate Format

PEM, which stands for privacy-enhanced mail, is the most popular containerformat used by certificate authorities (CAs) to issue SSL certificates. Forexample, Apache and other similar servers require SSL certificates to be inthis format.

PEM files contain ASCII (or Base64) encoding data and the certificate filescan be in .pem, .crt, .cer, or .key formats. A PEM certificate file may consistof the server certificate, the intermediate certificate and the private key ina single file. It might also be possible that the server certificate andintermediate certificate are in a separate .crt or .cer file and the privatekey is in a .key file.

Each certificate in the PEM file is enclosed between the —- BEGINCERTIFICATE—- and —-END CERTIFICATE—- statements. For example:

• The private key is contained between the —- BEGINRSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– statements.
• The CSR is contained between the —–BEGINCERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– statements.

P7B/PKCS#7Format

Certificates in P7B/PKCS#7 formats are encoded in Base64 ASCII encoding andthey usually have .p7b or .p7c as the file extension. The thing thatseparates PKCS#7 formatted certificates is that only certificates can be storedin this format, not private keys. In other words, a P7B file will onlyconsist of certificates and chain certificates.

The certificates having P7B/PKCS#7 format are contained between the“—–BEGIN PKCS7—–” and “—–END PKCS7—–”statements. Microsoft Windows and Java Tomcat are the most common platformsusing this format for SSL certificates.

DERFormat

The DER certificate format, which stands for “distinguished encoding rules,is a binary form of PEM-formatted certificates. DER format can includecertificates and private keys of all types, however, they mostly use .cer and.der extensions. The DER certificate format is most commonly used in Java-basedplatforms.

PFX/P12/PKCS#12Format

The PFX/P12/PKCS#12 format — all of which refer to a personal information exchange format — is the binary format that stores the server certificate, the intermediate certificate and the private key in a single password-protected pfx or .p12 file. These files are typically used on Windows platforms i to allow you to import and export certificates and private keys.