I don’t know about you but, in my case, when I started to work with SSL/TLS it took me a while to get my head around all the jargon related to certificates: pem, der, cer, crt, CA... that was too much to digest.For those of you who are in this situation, I’ve just created this quick summary that, hopefully, would save hours for you. For those of you who already know this stuff, here’s a quick refresh.
If you still don’t know exactly what a Digital Certificate or Digital Signature is, I’d recommend starting from here:
As we saw in this post, the standard for SSL/TLS certificates is the x509 standard. So, when we say SSL/TLS or digital certificates we’re referring to x509 certificates. x509 is the standard for all PKIX (Public Key Infrastructure) certificates.
Encoding Methods
The x509 standard uses 2 encoding methods:
DER (Distinguished Encoded Rules)
- It’s a binary DER, meaning, the output is a binary
- File format can be .der, .cer or .crt
PEM (Privacy Enhanced Mail)
- It’s an ASCII armoured data prefixed that includes header and footer lines (e.g.,
-----BEGIN PRIVATE KEY-----
and-----END PRIVATE KEY-----
). - Being an ASCII means that you can see the content of the certificate in readable text format. So, if you can see the content of the file that means you’re looking at a PEM encoded certificate.
- File extensions can be .cer, .crt or pem. The extension used depends on the CA signing the certificate.
File extensions
- .crt → Unix convention of binary DER or base 64 PEM. So the content of a crt file can be a binary or an ASCII
- .cer → Microsoft converntion for binary DER or base 64 PEM
- .key → this is not a certificate. its one of the PKCS#8 keys. it can be in DER or PEM format