SSL Certificates


  • X.509 is a standard that defines the structure of the certificate using a formal language called Abstract Syntax Notation One (ASN.1)
  • There are different formats of X.509 certificates such as PEM, DER, PKCS#7 and PKCS#12. PEM and PKCS#7 formats use Base64 ASCII encoding while DER and PKCS#12 use binary encoding
  • An X.509 certificate contains information about the identity(organization or individual) to which a certificate is issued and the identity that issued it.
  • It can self signed or can be signed by a certificate authority

CSR (Certificate Signing Request)

  • CSR is a block of encoded message┬ámeant for signing by Certificate Authority to generate a Digital Certificate (which includes the public key but not the private key) for the requesting entity
  • CSR can be encoded in PKCS#10 binary format as defined in RFC2986 that can be used with X.509
    • It can also be represented as a base64 encoded PKCS#10
  • A certification request consists of three main parts
    • certification request information
      • entity’s distinguished name
      • the entity’s public key
      • set of attributes providing other information
    • signature algorithm identifier
    • digital signature on the certification request

PEM (Privacy-Enhanced Mail)

  • Container file format for storing and sending cryptographic keys, certificates or entire chain, and other data
  • PEM format formalized by the IETF in RFC 7468
  • It is a base64 encoded x509 ASN.1
  • PEM data is commonly stored in files with a “.pem”, “.cert”, “.cer” or “.crt” suffix (for certificates), or a “.key” suffix (for public or private keys)
  • A PEM file may contain multiple instances (e.g. chain of certificates)

KEY (suffix)

  • A PEM formatted file containing just the private-key
  • It is just a convention way of naming and there are no standardization
  • File permissions on these file can be very important as some programs might refuse to load these keys

CERT, CER, CRT (suffix)

  • A PEM formatted file with a different extension that is recognized by Windows as a certificate while a file with .pem is not recognized
  • Usually contains a single certificate without any wrapping (NO private key, NO password )
  • CERT file as usually in X509 format

PFX (suffix)

  • PFX stands Personal Exchange Format
  • A .pfx file is a PKCS#12 archive
  • A .pfx file can contain Private Key and hence should NOT be distributed outside the organization
  • It can be used for TLS/SSL on web site, for digitally signing messages or authorization tokens, or for authenticating to a partner system
  • PFX files are password protected (usually)

CRL (Certificate Revocation List)

  • A certificate revocation list (CRL) provides a list of certificates that have been revoked
  • Certificate Authorities produce these as a way to de-authorize certificate(s) before expiration.
  • The list can sometimes download them from CA websites.
  • States of revocation
    • Revoked: A certificate is irreversibly revoked.
    • Hold: Temporary revocation and can be reinstated

PKCS12, P12

  • PKCS#12 define an archive format which is a bag that can contain a lot of objects with optional password protection in a single file.
  • It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust.
  • A PKCS #12 file may be encrypted and signed.
    • The internal storage containers, called “SafeBags”, may also be encrypted and signed.
    • A few SafeBags are predefined to store certificates, private keys and CRLs.
    • Another SafeBag is provided to store any other data at individual implementer’s choice.
  • PKCS #12 is the successor to Microsoft’s “PFX” however, the terms “PKCS #12 file” and “PFX file” are sometimes used interchangeably
  • A simpler, alternative format to PKCS #12 is PEM which just lists the certificates and possibly private keys as Base 64 strings in a text file
  • The filename extension for PKCS #12 files is .p12 or .pfx


  • The PKCS#7 format is a Cryptographic Message Syntax Standard defined in RFC 2315 as PKCS number 7
  • The PKCS#7 certificate uses Base64 ASCII encoding with file extension .p7b or .p7c.
  • Only certificates can be stored in this format, NOT private keys.
  • This is a format used by Windows for certificate interchange.
  • Java understands these natively, and often uses .keystore as an extension instead.
  • Unlike .pem style certificates, this format has a defined way to include certification-path certificates.

DER (Distinguished Encoding Rules)

  • DER is the method of encoding the data that makes up the certificate.
  • The structure of a certificate is described using the ASN.1 data representation language. BER and DER are binary encoding methods for data described by ASN.1
  • A file with DER extension is simply a binary encoded ASN.1 file.
  • These files may also bear the CER or the CRT extension


X.509 Certificate’s encoding formats and file extensions