Certificate formats

PEM - Privacy Enhanced Mail

PEM is the most common format in which Certificate Authorities issue certificates. These are mostly used by Unix/Linux users. They are encoded in base-64.

The public part of the certificate will be enclosed by "-----BEGIN PUBLIC KEY-----" and "-----END PUBLIC KEY-----", while the private part of the certificate is enclosed by "-----BEGIN RSA PRIVATE KEY––" and " -----END RSA PRIVATE KEY-----”.

The PEM format can contain any client/server certificate, intermediate certificate, root CA and private key.

These are Base64 encoded ASCII files.
They have extensions like .pem, .crt, .key (.cert sometimes).
Apache and similar servers use PEM format certificates.

DER - Distinguished Encoding Rule

DER is a binary format certificate. All kinds of certificates and private keys can be encoded.

This format supports the storage of a single certificate and does not include the private key for the root/intermediate CA.

These are files in binary format.
They have extensions .cer and .der.

DER is typically used on the Java platform.

PKCS#7

This format only contains certificate or certificate chain, but does not store the private key.

CAs are commonly used to provide certificate chains to users, and they usually have a .p7b or .p7s extension.

PFX - Personal Information Exchange

PFX is a format for storing a server certificate or any intermediate certificate along with the private key in an encrypted file. PFX follows the Public Key Encryption Standard (PKCS). The term PFX is used interchangeably with PKCS#12.

They have a .pfx or .p12 extension.

notes.jg5.dev

Certificate formats