Certificate file format

Posted on Edited on In Word count in article: 856 Reading time ≈ 3 mins.

X.509 Standard

X.509 is a standard defining the format of public key certificates.

X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web.

No matter its intended application(s), each X.509 certificate includes a public key, digital signature, and information about both the identity associated with the certificate and its issuing certificate authority (CA).

File Formats

.crt, .cer, .der, .pem, .pfx, .p12 files are all used to store X.509 certificates and private keys.

CRT/CER

.cer and .crt just stands for certificate. It is normally DER encoded data.

We can use openssl to convert a PEM file to a CRT file:

1
openssl x509 -outform der -in your-cert.pem -out your-cert.crt

PEM

PEM stands for Privacy Enhanced Mail, and it is a Base64 encoded DER certificate.

PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor.

PEM certificates are also used for email encryption and file encryption.

A typical content of a pem file is like below:

1
2
3
4
5
6
7
8
9
10
11
-----BEGIN CERTIFICATE-----
MIIICTCCBfGgAwIBAgIQRkQ68XujMWb2It2moqV3YjANBgkqhkiG9w0BAQsFADBy
MQswCQYDVQQGEwJVUzEOMAwGA1UECAwFVGV4YXMxEDAOBgNVBAcMB0hvdXN0b24x
ETAPBgNVBAoMCFNTTCBDb3JwMS4wLAYDVQQDDCVTU0wuY29tIEVWIFNTTCBJbnRl
.
.
.
jULjzfb+5fbHJuZSJ1hEd9tKVqd4Kt6jzI2B1WLbzlqOcYv2pqzKTcOmpn0u0/oj
Y3OTaNzVjmRmqxxKXCrttOic9DjTiOj5AaPdSzmSgKVYDMqkNn0HdQS0/9BQoQz3
q6rY7uaA3w5f/MNAN5w78pVD7G9sA7AvkXPvdU0N+kSYSlzvLTg2SnDThdKG
-----END CERTIFICATE-----

It is downloaded from ssl.com.

The certificate starts with -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----.

Use openssl to view the details fo the certificate.

1
openssl x509 -in ssl.com.pem -text -noout

We can also put a private key in the PEM file. For example, when you login to an EC2 server on AWS, you need to use a PEM file that contains both the certificate and the private key.

1
2
3
4
5
6
7
8
9
10
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDgJmZ4zYeZXFvm
5TssyqCegRSxmE7WpSwjZFpsZBuOhgqc9dK2rGEq/acxf81UbQlR+e5zTgVC1Dsx
.
.
.
MNrffTFBCMqywueDUaifcKvjrRGvitZnwc7yvWsfjw573sDt139coqixWhDYIAEB
fTUg0SOTAFcaWb5EB3SO5DeC9U/agptczjPoEG4U0eLSvE/QeNNJjY9BmprJCaB9
6FoYcmMiq2eXDK2cMV1ocjyd
-----END PRIVATE KEY-----

In this case, there is RSA private key in this file for authentication.

It’s very easy to generate a RSA private key with openssl:

1
openssl genrsa -out key.pem 2048

And check the details of the private key:

1
openssl rsa -in key.pem -text -noout

DER

DER, which stands for “distinguished encoding rules”, is the method of encoding the data that makes up the certificate.

DER certificates are binary encoded and are most often used in Java-based systems.

You can use openssl to convert a PEM file to a DER file:

1
openssl x509 -outform der -in ssl.com.pem -out ssl.com.der

The data in the ssl.com.der file is actually binary data and not human-readable.

You can base64 the binary data and find the same data as in the ssl.com.pem file.

1
base64 ssl.com.der

The DER file is not used very much outside of Windows.

PKCS7/PKCS12

PKCS stands for Public Key Cryptography Standards by RSA Security LLC.

It is a family of standards that deals with public-key cryptography.

There are many different standards in the PKCS family, but the most common ones are PKCS#7 and PKCS#12.

PKCS#7 is used for signing and encrypting data, and PKCS#12 is used for storing keys and certificates.

PKCS#7

PKCS#7 can also be referred as P7B and known as Cryptographic Message Syntax.

PKCS #7 files may be stored both as raw DER format or as PEM format.

For the PEM format, signed or encrypted data is wrapped inside Base64 encoding and sandwiched in between ‑‑‑‑‑BEGIN PKCS7‑‑‑‑‑ and ‑‑‑‑‑END PKCS7‑‑‑‑‑.

Windows uses the .p7b file name extension for both these encodings.

A typical use of a PKCS #7 file would be to store certificates and/or certificate revocation lists (CRL).

We can use openssl to convert a PEM file to a PKCS#7 file:

1
openssl crl2pkcs7 -nocrl -certfile your-cert.pem -out your-cert.p7b

And get following data:

1
2
3
4
5
6
7
8
9
-----BEGIN PKCS7-----
MIIIOAYJKoZIhvcNAQcCoIIIKTCCCCUCAQExADALBgkqhkiG9w0BBwGggggNMIII
CTCCBfGgAwIBAgIQRkQ68XujMWb2It2moqV3YjANBgkqhkiG9w0BAQsFADByMQsw
.
.
.
aNzVjmRmqxxKXCrttOic9DjTiOj5AaPdSzmSgKVYDMqkNn0HdQS0/9BQoQz3q6rY
7uaA3w5f/MNAN5w78pVD7G9sA7AvkXPvdU0N+kSYSlzvLTg2SnDThdKGMQA=
-----END PKCS7-----

PKCS#12

PKCS#12 can also be referred as PFX/P12.

This is a password-protected container format that contains both public and private certificate pairs.

Unlike .pem files, this container is fully encrypted.

We can generate a PKCS#12 file with openssl. But we need to generate the cert file and private key file beforehand.

1
openssl req -x509 -newkey rsa:4096 -keyout myKey.pem -out cert.pem -days 365 -noenc

And then generate the pfx file from the cert and key files. We need to set password for this file to protect private key.

1
openssl pkcs12 -export -out my.pfx -inkey myKey.pem -in cert.pem

To get the information of the pfx file, we can use openssl:

1
openssl pkcs12 -info -in my.pfx -noout

If we need to print all the data, we can use the command.

Remember this is a dangerous operation because it will print out your private key.

1
openssl pkcs12 -info -in my.pfx -noenc

Reference

What’s the difference between X.509 and PKCS#7 Certificate?
X.509
What Is an X.509 Certificate?
PEM, DER, CRT, and CER: X.509 Encodings and Conversions
Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
What are the differences between .pem, .cer and .der?
What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats?
PKCS 7
pkcs12: import password and PEM password