(2 votes, average: 5.00 out of 5)
Suppose you are a website owner or responsible for website management. In that case, there is no doubt the world of SSL certificates can overwhelm you with highly confusing words, especially if you are someone new to the industry. One of the reasons behind this is the various formats in which a certificate authority issues the digital certificate. Yes, you read that right! The authority issues the certificate in different formats like CRT, DER, PEM, PFX, PKCS7, P12, CER, etc. So, let us first understand what SSL Certificate File format and Extensions are.
You can define the SSL certificate format as an extension of the file format used by the certification authority to store or transmit the digital certificate. Since there is a wide range of servers and devices out there, it has become paramount to understand the abilities and technologies with which these formats are compatible.
Servers types show compatibility with specific SSL files, which means that not every SSL file can be installed on every server type. The server that allows certificates usually needs a specific type of certificate. It needs to be in a specific format, so it is important to know this aspect of the SSL beforehand.
The certificate authority issues them in different formats, providing various certificate file extensions such as PKCS7 Certificate, pem Certificate, and many more. The file format issued is based on their encoding and the information they store.
For a successful installation of an SSL certificate on your server, it is important to know which type of certificate your device or server demands. In some cases, the server accepts various formats, which can be interchangeable. However, in other cases, you require a specific file type and encoding. Once you have received the certificate files, checking their extension will let you know what’s in the file and which will best fit your requirements. Although it might not seem like a huge deal, there are some reasons why that can be a complicated affair. Let us list it down for you:
So if you receive an SSL certificate in a particular format and your server requires it to be in another, you have to convert the certificate to the format that the server requires. For example, if you have a der certificate format, but the server needs it to be in a PKCS7 file, you must convert it before you can use it.
Before doing any file conversions, it is best if you understand each file extension or format to deal with them. So let us get you more familiar with each of these formats while looking at each file format individually:
X.509 is an ITU-T standard for public-key infrastructures (PKI). Presented for the first time in 1998, the users used it to define standard formats for most public-key certificates and of the relative revocation lists (CRL, from Certificate Revocation List). Today, people use the term “Certificate X.509” to refer to the third revision of the standard (X.509 v3).
The DER certificate format stands for “distinguished encoding rules. It is a binary form of PEM-formatted certificates containing all types of certificates and private keys. However, they usually use .cer and .der extensions. So if you want to differentiate between PEM.cer files and DER.cer files, you might have to use a text editor to read the files. One can encode both digital certificates and private keys in DER format.
For example, x509 is describing in ASN1 and encoded in DER format. While there are other encoding formats for ASN.1, security experts choose DER because it ensures a unique encoding given ASN.1, which is not applicable to BER used in LDAP.
PEM stands for Privacy Enhanced Mail, and it is a Base64 encoded DER certificate. Frequently used for web servers, these certificates can be conveniently translated into readable data using a simple text editor. Generally, when you open a PEM encoded in a text editor, it contains distinct headers and footers. The PEM certificate happens to be one of the most popular container formats used by certificate authorities (CAs) for issuing SSL certificates. For example, Apache and other similar servers demand SSL certificates to be in PEM format.
A PEM file contains ASCII encoding data, and the certificate files come in .pem, .crt, .cer, or .key formats. Typically, you can find server certificates, intermediate certificate, and the private key in a single file. Oftentimes the server certificate and intermediate certificate are in a separate .crt or .cer file, and the private key is in a .key file.
Every SSL certificate in the PEM file is enclosed between the —- BEGIN CERTIFICATE—- and —-END CERTIFICATE—- statements. For example:
You can find the private key between the —- BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– statements.
The CSR is between the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– statements.
Certificates that come in P7B/PKCS#7 formats use Base64 ASCII encoding. These certificates can only be stored in this particular format with file extensions such as .p7b or .p7c, but not private keys. Simply put, pkcs7 certificates only consist of and chain certificates, so there is no pkcs7 private key available.
The certificates having a P7B file or PKCS#7 format are between the “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. The most common SSL Certificate platforms are Microsoft Windows and Java Tomcat.
In the encryption world, PKCS 7 is a standard padding method that helps in determining the number of padding bytes and then adds that as a value. The older encryption methods employed 64-bit block size, which meant that they read in 8 characters (or eight 8-bit values) into a block and did the encryption. DES and 3-DES are two common methods that use these block sizes. However, modern symmetric key methods like AES use a 128-bit block size. This means we read in 16 characters at a time. In the AES 4×4 matrix is created, rows and columns are swapped and then put through an S-box and P-box.
The PFX/P12/PKCS#12 format is a personal information exchange format. It is a binary format that contains the server certificate, the intermediate certificate, and the private key in a single password-protected pfx or .p12 file. Typically used on Windows platforms, these formats allow the users to import and export certificates and private keys.
Various encryption and security programs use P12 files. The file stores a private key responsible for encrypting data so that only a corresponding public key can decrypt the data. Similarly, the data encrypted with the public key can be decrypted only by the private key. This arrangement, therefore, helps in validating the source of transmitted information.
If you want to install a p12 key on a Windows or Mac PC, you must simply double-click the file. The Certificate Import Wizard (Windows) or Add Certificates Wizard (Mac) will appear and help you through installing the key. Alternatively, you can also access the contents of a p12 key by installing OpenSSL. It is an open-source cryptography toolkit. Upon entering the command-
openssl pkcs12 -info -nodes -in yourfilename.p12 at your PC’s command line, you can access the content. There you have it! These are some of the popular SSL formats. Now, the next genuine question is how to convert the certificates into different formats. Below, we will share some commands you can use for converting formats.
openssl crl2pkcs7 -nocrl -certfile your_pem_certificate.crt -out your_pkcs7_certificate.p7b -certfile CA-bundle.crt
openssl pkcs7 -print_certs -in your_pkcs7_certificate.p7b -out your_pem_certificates.pem
It is important to remember that if PKCS#7 files included the chain certificates, the newly generated .pem file would include them as well, but separately.
openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt
You will also be asked to specify the password for the PFX file. Make sure you remember the password, as it becomes crucial while you import the PFX to a new server.
openssl pkcs12 -in your_pfx_certificate.pfx -out your_pem_certificates_and_key.pem -nodes
You will be asked to specify the password that was used when you created the PFX file you are converting. The obtained PEM file consists of the certificate, chain certificates (optionally) and the private key.
When you want to convert a certificate from PKCS#7 to PFX, it is important to first convert the certificate into PEM format like this:
openssl pkcs7 -print_certs -in your_pkcs7_certificate.p7b -out your_pem_certificates.pem
After converting, you can convert the certificate into PFX with this command:
openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey your_private.key -in your_pem_certificate.crt
Apart from using commands, you can also take the help of online tools and convert the file formats.
As we have seen a comprehensive list of formats and file extensions, digital signatures have established a very good framework. Building upon regulations like E-sign, eIDAS, and UETA have raised the standards by allowing digital signatures to give equal legal status to the usual wet signatures. Many specialist security companies have a strong track record of deploying dependable, large-scale remote digital signature solutions that are capable of fulfilling all the strict criteria of the regulations (eIDAS being the most holistic and stringent).
We hope this overview was useful for those needing a detailed analysis of SSL certificate formats.