A Beginner’s Guide to Understanding SSL File Extensions

1 Star2 Stars3 Stars4 Stars5 Stars (2 votes, average: 5.00 out of 5)
SSL File Extensions: PEM, PKCS7, DER, and PKCS#12

Understanding the Different SSL Certificate Formats Issued by Certificate Authorities

Suppose you are a website owner or responsible for website management. In that case, there is no doubt the world of SSL certificates can overwhelm you with highly confusing words, especially if you are someone new to the industry. One of the reasons behind this is the various formats in which a certificate authority issues the digital certificate. Yes, you read that right! The authority issues the certificate in different formats like CRT, DER, PEM, PFX, PKCS7, P12, CER, etc. So, let us first understand what SSL Certificate format is?

What Is an SSL Certificate Format?

The SSL certificate format can be defined as an extension of the file format of the file in which the certification authority stores or transmits the digital certificate. Since there is a wide range of servers and devices out there, it has become paramount to understand the abilities and technologies with which these formats are compatible.

Not every SSL file can be installed in every server type as each exhibits compatibility with a particular type. The server that allows certificates usually needs a specific type of certificate. It needs to be in a specific format, so it is important to know this aspect of the SSL beforehand.

They are issued in different formats because the certificate authority issues them with different certificate file extensions like PKCS7 Certificate, pem Certificate and many more. The file format issued is based on their encoding and the information they store.

For a successful installation of an SSL certificate on your server, it is important to know which type of certificate your device or server demands. In some cases, the server accepts various formats, which can be interchangeable. However, a particular file type and encoding are needed in other cases. Once you have received the certificate files, checking its file extension will let you know what’s in the file and which file will best fit your requirements. Although it might not seem like a very big deal, there are some reasons why that can be a complicated affair. Let us list it down for you:

  • Different certificate authorities issue certificates in different formats; and
  • Different servers demand certificates in different formats.

So if you receive an SSL certificate in a particular format and your server requires it to be in another, you have to convert the certificate to the format that the server requires. For example, if you have a der certificate format but the server needs it to be in a PKCS7 file, you must convert it before you can use it.

Before doing any file conversions, it is best if you understand each file extension or format to deal with them. So let us get you more familiar with each of these formats while looking at each file format individually:

X.509 Standard

X.509 is an ITU-T standard for public-key infrastructures (PKI). Presented for the first time in 1998, the users used it to define standard formats for most public-key certificates and of the relative revocation lists (CRL, from Certificate Revocation List). This term Certificate X.509 is today used to refer to the third revision of the standard (X.509 v3).

DER File Certificate Format

The DER certificate format stands for “distinguished encoding rules. It is a binary form of PEM-formatted certificates containing all types of certificates and private keys. However, they usually use .cer and .der extensions. So if you want to differentiate between PEM.cer files and DER.cer files, you might have to use a text editor to read the files. One can encode both digital certificates and private keys in DER format.

For example, x509 is described in ASN1 and encoded in DER format. While there are other encoding formats for ASN.1, DER is the one selected for security since there is only one possible encoding given ASN.1. encoding (which is not applicable for BER used in ldap).

PEM File Certificate Format

PEM stands for Privacy Enhanced Mail, and it is a Base64 encoded DER certificate. Frequently used for web servers, these certificates can be translated into readable data using a simple text editor conveniently. Generally, when you open a PEM encoded in a text editor, it contains distinct headers and footers. The PEM certificate happens to be one of the most popular container formats used by certificate authorities (CAs) for issuing SSL certificates. For example, Apache and other similar servers demand SSL certificates to be in PEM format.

A PEM file contains ASCII encoding data and the certificate files come in .pem, .crt, .cer, or .key formats. Typically, you can find server certificates, the intermediate certificate and the private key in a single file. Oftentimes the server certificate and intermediate certificate are in a separate .crt or .cer file, and the private key is in a .key file.

Every SSL certificate in the PEM file is enclosed between the —- BEGIN CERTIFICATE—- and —-END CERTIFICATE—- statements. For example:

You can find the private key between the —- BEGIN RSA PRIVATE KEY—– and —–END RSA PRIVATE KEY—– statements.

The CSR is between the —–BEGIN CERTIFICATE REQUEST—– and —–END CERTIFICATE REQUEST—– statements.

Know the difference between CER and CRT SSL Extension

PKCS 7 File Certificate Format

The certificates that come in P7B/PKCS#7 formats are encoded in Base64 ASCII encoding. With a file extension as.p7b or .p7c as the file extension, these certificates can only be stored in this particular format, not private keys. Simply put, pkcs7 certificates only consist of certificates and chain certificates, and as such, there is no pkcs7 private key available.

The certificates having a P7B file or PKCS#7 format are between the “—–BEGIN PKCS7—–” and “—–END PKCS7—–” statements. The most common SSL Certificate platforms are Microsoft Windows and Java Tomcat.

In the encryption world, PKCS 7 is a standard padding method that helps in determining the number of padding bytes and then adds that as a value. The older encryption methods employed 64-bit block size, which meant that they read in 8 characters (or eight 8-bit values) into a block and did the encryption. DES and 3-DES are two common methods that use these block sizes. However, modern symmetric key methods like AES use a 128-bit block size. This means we read in 16 characters at a time. In the AES 4×4 matrix is created, rows and columns are swapped and then put through an S-box and P-box.

PKCS12 File Certificate Format

The PFX/P12/PKCS#12 format is a personal information exchange format. It is a binary format that contains the server certificate, the intermediate certificate, and the private key in a single password-protected pfx or .p12 file. Typically used on Windows platforms, these formats allow the users to import and export certificates and private keys.

Various encryption and security programs use P12 files. The file stores a private key responsible for encrypting data so that only a corresponding public key can decrypt the data. Similarly, the data encrypted with the public key can be decrypted only by the private key. This arrangement, therefore, helps in validating the source of transmitted information.

If you want to install a p12 key on a Windows or Mac PC, you must simply double-click the file. The Certificate Import Wizard (Windows) or Add Certificates Wizard (Mac) will appear and help you through installing the key. Alternatively, you can also access the contents of a p12 key by installing OpenSSL. It is an open-source cryptography toolkit. Upon entering the command-

openssl pkcs12 -info -nodes -in yourfilename.p12 at your PC’s command line, you can access the content. There you have it! These are some of the popular SSL formats. Now, the next genuine question is how to convert the certificates into different formats. Below, we will share some commands you can use for converting formats.

Commands to Convert the Certificates Into Different Formats

From PEM to PKCS#7:

openssl crl2pkcs7 -nocrl -certfile your_pem_certificate.crt -out your_pkcs7_certificate.p7b -certfile CA-bundle.crt

From PKCS#7 to PEM:

openssl pkcs7 -print_certs -in your_pkcs7_certificate.p7b -out your_pem_certificates.pem

It is important to remember that if PKCS#7 files included the chain certificates, the newly generated .pem file would include them as well, but separately.

From PEM to PFX:

openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey your_private.key -in your_pem_certificate.crt -certfile CA-bundle.crt

You will also be asked to specify the password for the PFX file. Make sure you remember the password, as it becomes crucial while you import the PFX to a new server.

From PFX to PEM:

openssl pkcs12 -in your_pfx_certificate.pfx -out your_pem_certificates_and_key.pem -nodes

You will be asked to specify the password that was used when you created the PFX file you are converting. The obtained PEM file consists of the certificate, chain certificates (optionally) and the private key.

From PKCS#7 to PFX:

When you want to convert a certificate from PKCS#7 to PFX, it is important to first convert the certificate into PEM format like this:

openssl pkcs7 -print_certs -in your_pkcs7_certificate.p7b -out your_pem_certificates.pem

After converting, you can convert the certificate into PFX with this command:

openssl pkcs12 -export -out your_pfx_certificate.pfx -inkey your_private.key -in your_pem_certificate.crt

Apart from using commands, you can also take the help of online tools and convert the file formats.

To Conclude

As we have seen a comprehensive list of formats and file extensions, digital signatures have established a very good framework. Building upon regulations like E-sign, eIDAS, and UETA have raised the standards by allowing digital signatures to give equal legal status to the usual wet signatures. Many specialist security companies have a strong track record of deploying dependable, large-scale remote digital signature solutions that are capable of fulfilling all the strict criteria of the regulations (eIDAS being the most holistic and stringent).

We hope this overview was useful for those needing a detailed analysis of SSL certificate formats.

Janki Mehta

Janki Mehta is a Cyber-Security Enthusiast who constantly updates herself with new advancements in the Web/Cyber Security niche. Along with theoretical knowledge, she also implements her practical expertise in day-to-day tasks and helps others to protect themselves from threats.