A SSL Certificate File Extension Explanation: PEM, PKCS7, DER, and PKCS#12

Confused about different SSL formats? Here’s what to know about the most common certificate file extensions

There’s no doubt that the world of SSL certificates can be highly confusing for someone who is new to the industry. One of the reasons behind this is the different formats in which SSL certificates are issued. Yes, you read that right: SSL certificates can be issued in various formats such as CER, CRT, DER, PEM, P7B, P7S, PFX, P12, etc. That’s because SSL certificates are issued with different certificate file extensions or in different file formats — such as a PKCS7 certificate or a DER certificate — based on their encoding and the information they store.

While this may not seem like a big deal, the thing that makes it complicated is that:

• different certificate authorities issue certificates in different formats; and
• at the same time, different servers require certificates in different formats.

So, if you have an SSL certificate in one certificate file extension format and your server requires it to be in another, you must convert the certificate to the format that your server needs. For example, if you have a PKCS7 file but need it to be a PEM file certificate, you’ll need to convert it before you can use it.

But before you can do that, you must understand each certificate file extension or format to deal with them. So, let’s get more familiar with each of these formats by looking at each certificate file format individually.

PEM File Certificate Format

PEM, which stands for privacy-enhanced mail, is the most popular container format used by certificate authorities (CAs) to issue SSL certificates. For example, Apache and other similar servers require SSL certificates to be in this format.

PEM files contain ASCII (or Base64) encoding data and the certificate files can be in .pem, .crt, .cer, or .key formats. A PEM certificate file may consist of the server certificate, the intermediate certificate and the private key in a single file. It might also be possible that the server certificate and intermediate certificate are in a separate .crt or .cer file and the private key is in a .key file.

Each certificate in the PEM file is enclosed between the —- BEGIN CERTIFICATE—- and —-END CERTIFICATE—- statements. For example:

• The private key is contained between the —- BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– statements.
• The CSR is contained between the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– statements.

P7B/PKCS#7 Format

Certificates in P7B/PKCS#7 formats are encoded in Base64 ASCII encoding and they usually have .p7b or .p7c as the file extension. The thing that separates PKCS#7 formatted certificates is that only certificates can be stored in this format, not private keys. In other words, a P7B file will only consist of certificates and chain certificates.

The certificates having P7B/PKCS#7 format are contained between the “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. Microsoft Windows and Java Tomcat are the most common platforms using this format for SSL certificates.

DER Format

The DER certificate format, which stands for “distinguished encoding rules, is a binary form of PEM-formatted certificates. DER format can include certificates and private keys of all types, however, they mostly use .cer and .der extensions. The DER certificate format is most commonly used in Java-based platforms.

PFX/P12/PKCS#12 Format

The PFX/P12/PKCS#12 format — all of which refer to a personal information exchange format — is the binary format that stores the server certificate, the intermediate certificate and the private key in a single password-protected pfx or .p12 file. These files are typically used on Windows platforms i to allow you to import and export certificates and private keys.