The certificate is, nominally, a container for the public key. Some people use the term "certificate" to designate both the certificate and the private key; this is a common source of confusion. In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the ownership of a public key. The certificate includes information about the key, information about the identity of its owner (called the subject), and the digital signature of an entity that has verified the certificate's contents (called the issuer).
X509 Encodings and File Extensions
The first thing we have to understand is what each type of file extension is. There is a lot of confusion about what DER, PEM, CRT, and CER are and many have incorrectly said that they are all interchangeable. While in certain cases some can be interchanged the best practice is to identify how your certificate is encoded and then label it correctly.
Encodings (also used as extensions)
- .DER = The DER extension is used for binary DER encoded certificates. These files may also bear the CER or the CRT extension.
- .PEM = The PEM extension is used for different types of X.509v3 files which contain ASCII (Base64) armored data prefixed with a “—– BEGIN …” line.
- .CRT = The CRT extension is used for certificates. The certificates may be encoded as binary DER or as ASCII PEM. The CER and CRT extensions are nearly synonymous. Most common among *nix systems
- CER = alternate form of .crt (Microsoft Convention) You can use MS to convert .crt to .cer (.both DER encoded .cer, or base64[PEM] encoded .cer) The .cer file extension is also recognized by IE as a command to run a MS cryptoAPI command (specifically rundll32.exe cryptext.dll,CryptExtOpenCER) which displays a dialogue for importing and/or viewing certificate contents.
- .KEY = The KEY extension is used both for public and private PKCS#8 keys. The keys may be encoded as binary DER or as ASCII PEM.
The only time CRT and CER can safely be interchanged is when the encoding type can be identical, ie PEM encoded CRT = PEM encoded CER.
Container (PFX, PKCS12, PEM)
A .pfx file is a PKCS#12 archive. In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file with optional password protection. It is commonly used to bundle a private key with its X.509 certificate. PKCS #12 is the successor to Microsoft's "PFX". However, the terms "PKCS #12 file" and "PFX file" are sometimes used interchangeably.
A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file.
The PKCS#7 or P7B format is usually stored in Base64 ASCII format and has a file extention of .p7b or .p7c. P7B certificates contain "-----BEGIN PKCS7-----" and "-----END PKCS7-----" statements. A P7B file only contains certificates and chain certificates, not the private key. Several platforms support P7B files including Microsoft Windows and Java Tomcat.
Common OpenSSL Certificate Manipulations
Converting a PKCS#12 private key to PEM Using OpenSSL
The following command allows you to convert certificates and keys to different formats to make them compatible with specific types of servers or software.
For example, you can convert a PFX (PKCS#12) file used with Tomcat or IIS to a normal PEM file that would work with Apache and TRSuite.
Convert a PKCS#12 file (.pfx .p12) containing a private key and certificates to PEM
openssl pkcs12 -in keyStore.pfx -out keyStore.pem –nodes -nocerts
You can add
-nocerts to only output the private key or add
-nokeys to only output the certificates
Convert P7B to PEM
openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer