{"id":2386,"date":"2015-12-03T07:27:20","date_gmt":"2015-12-03T07:27:20","guid":{"rendered":"http:\/\/blog.designed79.co.uk\/?p=2386"},"modified":"2015-12-03T07:27:20","modified_gmt":"2015-12-03T07:27:20","slug":"certificate-ssl-file-formats","status":"publish","type":"post","link":"https:\/\/blog.designed79.co.uk\/?p=2386","title":{"rendered":"Certificate \/ SSL File Formats"},"content":{"rendered":"<p>SSL has been around for long enough you&#8217;d think that there would be agreed upon container formats. And you&#8217;re right, there are. Too many standards as it happens.<\/p>\n<ul>\n<li><strong>.csr<\/strong>\u00a0This is a Certificate Signing Request. Some applications can generate these for submission to certificate-authorities. The actual format is PKCS10 which is defined in\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc2986\">RFC 2986<\/a>. It includes some\/all of the key details of the requested certificate such as subject, organization, state, whatnot, as well as the\u00a0<em>public key<\/em>\u00a0of the certificate to get signed. These get signed by the CA and a certificate is returned. The returned certificate is the public\u00a0<em>certificate<\/em>(which includes the public key but not the private key), which itself can be in a couple of formats.<\/li>\n<li><strong>.pem<\/strong>\u00a0Defined in RFC&#8217;s\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc1421\">1421<\/a>\u00a0through\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc1424\">1424<\/a>, this is a container format that may include just the public certificate (such as with Apache installs, and CA certificate files\u00a0\n<div class=\"codecolorer-container text default\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"text codecolorer\">\/etc\/ssl\/certs<\/div><\/div>\n<p>), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used\u00a0<a href=\"https:\/\/jamielinux.com\/docs\/openssl-certificate-authority\/create-the-intermediate-pair.html\">here<\/a>) as the PKCS10 format can be translated into PEM. The name is from\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Privacy-enhanced_Electronic_Mail\">Privacy Enhanced Mail (PEM)<\/a>, a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys.<\/li>\n<li><strong>.key<\/strong>\u00a0This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one. In Apache installs, this frequently resides in\u00a0\n<div class=\"codecolorer-container text default\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"text codecolorer\">\/etc\/ssl\/private<\/div><\/div>\n<p>. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.<\/li>\n<li><strong>.pkcs12 .pfx .p12<\/strong>\u00a0Originally defined by RSA in the\u00a0<a href=\"http:\/\/www.rsa.com\/rsalabs\/node.asp?id=2124\">Public-Key Cryptography Standards<\/a>, the &#8220;12&#8221; variant was enhanced by Microsoft. This is a passworded container format that contains both public and private certificate pairs. Unlike .pem files, this container is fully encrypted. Openssl can turn this into a .pem file with both public and private keys:\u00a0\n<div class=\"codecolorer-container text default\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"text codecolorer\">openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes<\/div><\/div>\n<\/li>\n<\/ul>\n<p>A few other formats that show up from time to time:<\/p>\n<ul>\n<li><strong>.der<\/strong>\u00a0A way to encode ASN.1 syntax in binary, a .pem file is just a Base64 encoded .der file. OpenSSL can convert these to .pem\n<div class=\"codecolorer-container text default\" style=\"overflow:auto;white-space:nowrap;\"><div class=\"text codecolorer\">openssl x509 -inform der -in to-convert.der -out converted.pem<\/div><\/div>\n<p>. Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like&#8230;<\/li>\n<li><strong>.cert .cer .crt<\/strong>\u00a0A .pem (or rarely .der) formatted file with a different extension, one that is recognized by Windows Explorer as a certificate, which .pem is not.<\/li>\n<li><strong>.p7b<\/strong>\u00a0Defined in\u00a0<a href=\"https:\/\/tools.ietf.org\/html\/rfc2315\">RFC 2315<\/a>, this is a format used by windows for certificate interchange. Java understands these natively. Unlike .pem style certificates, this format has a\u00a0<em>defined<\/em>\u00a0way to include certification-path certificates.<\/li>\n<li><strong>.crl<\/strong>\u00a0A certificate revocation list. Certificate Authorities produce these as a way to de-authorize certificates before expiration. You can sometimes download them from CA websites.<\/li>\n<\/ul>\n<p>In summary, there are four different ways to present certificates and their components:<\/p>\n<ul>\n<li><strong>PEM<\/strong>\u00a0Governed by RFCs, it&#8217;s used preferentially by open-source software. It can have a variety of extensions (.pem, .key, .cer, .cert, more)<\/li>\n<li><strong>PKCS7<\/strong>\u00a0An open standard used by Java and supported by Windows. Does not contain private key material.<\/li>\n<li><strong>PKCS12<\/strong>\u00a0A private standard that provides enhanced security versus the plain-text PEM format. This can contain private key material. It&#8217;s used preferentially by Windows systems, and can be freely converted to PEM format through use of openssl.<\/li>\n<li><strong>DER<\/strong>\u00a0The parent format of PEM. It&#8217;s useful to think of it as a binary version of the base64-encoded PEM file. Not routinely used by much outside of Windows.<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>SSL has been around for long enough you&#8217;d think that there would be agreed upon container formats. And you&#8217;re right, there are. [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-2386","post","type-post","status-publish","format-standard","hentry","category-info-on-tech"],"_links":{"self":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/2386","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=2386"}],"version-history":[{"count":0,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=\/wp\/v2\/posts\/2386\/revisions"}],"wp:attachment":[{"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=2386"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=2386"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.designed79.co.uk\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=2386"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}