Certificates are often known as X.509 certificates, since X.509 is the standard that defines their context and layout. The
commonest algorithms for creating public and private keys are RSA and DSA, and keys are often referred to as RSA keys or DSA
keys. None of these, however, define the format of the file in which a certificate or key is held. There are many rival formats
for these files. Some of the commonest standard formats are:
- DER. This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It is headerless.
It is the default format for most browsers. A file can contain only one certificate. Optionally the certificate can be encrypted.
The standard extension is
.cer, but might be
.der in some installations.
- PEM. This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509 certificates. It is the default
format for OpenSSL. It stores the data in either ASN.1 or DER format, surrounded by ASCII headers, so is suitable for sending
files as text between systems. A file can contain multiple certificates. The standard extension is
.pem.
- PKCS #7. This is the Cryptographic Message Syntax Standard. A file can contain multiple certificates. Optionally they can
be hashed. Optionally a certificate can be accompanied by a private key. As well as the original PKCS #7, there are three
revisions: a, b, and c. The standard extensions for these four versions are
.spc,
.p7a,
.p7b and
.p7c respectively.
- PKCS #8. This format can contain private keys and encrypted private key information. It stores the data in base64 encoded
data, usually using a DER or PEM structure which is then encrypted. The standard extension is
.p8.
- PKCS #12. This is also known as PFX. This format can contain private keys (RSA or DSA), public keys (RSA or DSA) and X.509
certificates. It stores them in a binary format. The standard extension is
.pfx or
.p12.