Quality TLS/SSL certificates for websites and internet projects.



SSL Certificate Formats

In connection with SSL certificates, a relatively large number of names such as PEM, CSR, KEY, DER, etc. are mentioned. These are files that are practically only "boxes" for the location of the certificate and its keys. A large number of formats were created gradually due to various implementations in operating systems or applications, some were standardized in RFC.

CSR (.csr)

A Certificate Signing Request (CSR) is a certificate request that is passed to a certification authority for certification. The request can be generated directly on the server, in the OpenSSL application or you can easily generate it in the order detail according to this manual, including the private key, after ordering the SSL certificate. The application format is according to PKCS # 10 (Public Key Cryptography Standards) and is defined in RFC 2986 (Certification Request Syntax Specification). The CSR application contains the necessary information for issuing the certificate. That is, the domain name, organization, state, and also the public key that the certification authority confirms. The encoding format of the CSR that is inserted into the order and sent to the certification authority is PEM. The information structure in the request is defined using ASN.1 (abstract syntax notation).
After the certificate is issued and signed by the certification authority, the certificate is already delivered from the authority in other formats, such as CRT, p7b. It is often also sent directly by e-mail in txt PEM format, together with information about the issuance of the SSL certificate.

We do not recommend creating a certificate request and private key on unknown online sites.
In our help we publish instructions on how to generate a CSR and private key in OpenSSL.

PEM (.pem)

One of the most used formats for storing SSL/TLS certificates. It is a container for storing text-encoded cryptographic data (keys and certificates) and allows easy sending by e-mail, it is defined in RFC 1421 to 1424. It can contain a separate public certificate but also a public certificate plus CA certificates or it can contain a whole set of certificates including public key, private key, and root certificates of the issuing certification authority. A Certificate Signing Request (CSR) is also supplied in PEM format, which is converted from PKCS10 format.
The name originated from the abbreviation Privacy-enhanced Electronic Mail (PEM), which was the standard for email security. The main essence of the PEM format is the recoding of the binary format (ie ones and zeros) by the base64 method and the addition of an informative header and footer of the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- or -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----.

Sample of the issued certificate in PEM format


You can decode this text string, for example on this page, where you can find information about the certificate (validity, information in the certificate, authority, and much more).

PEM files are encoded in Base64 format, which is an encoding that converts binary data into a sequence of printable ASCII characters (a 64-element character set consisting of uppercase and lowercase letters of the English alphabet, numbers and plus signs ('+'), and a slash ('/')). PEM files are very easy to work with, as they have content in a readable text format and can be opened in any editor.The individual certificates are then clearly separated by a header and footer. More about the PEM format in WIKI ...

PFX (.pfx) / PKCS #12 format

.pfx, but also .p12 or .pkcs12 are formats defined in Public-Key Cryptography Standards (PKCS standards). It is a password container format that contains both public and private certificates. Unlike .pem files, the container is fully encrypted. PKCS#12 (.p12) was originally a private Microsoft standard that was later defined in RFC 7292. Provides improved security over the PEM text format.
We will encounter the PFX format mainly on the Windows platform. If the certificate request is not generated directly in the Internet Information System (IIS), it is necessary to supply the server administrator with a certificate in PFX format for import into the server. For these cases, we publish in the help instructions on how to export the certificate to PFX using OpenSSL.
Code Signing certificates and electronic signatures are also exported to the .p12 / .pfx file.

The .pfx and .p12 files are de facto identical, and if you need the p12 file instead of the pfx, you may read that you just need to rename it. It doesn't always work that easily. You can learn more in the discussion at

KEY (.key)

The .key file contains the certificate in PEM format and contains only the private key of the certificate. The private key is enclosed in the strings ----- BEGIN PRIVATE KEY ----- and ----- END PRIVATE KEY -----. This file should go open in any text editor.
There is no standardization for the .key format and it is de facto a designation of the file with the private key.

Soubor .key otevřený v Notepadu

DER (.der)

DER (Distinguished Encoding Rules). A binary file (a string of zeros and ones) that contains the stored certificate information. It contains an SSL certificate or the full root-chain path (intermediate certificates) and can also contain a private key. Used in the Unix world or on Java platforms, in Windows the .der file is automatically considered a certificate holder. DER is a defective binary version of a base64 encoded PEM file.

CRT (.crt)

The .crt file contains an SSL certificate in PEM format. They can be opened with any text editor and the certificate is enclosed in ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE ----- tags.
In Windows, when you double-click on a file and accept the warning, a window with the certificate details opens automatically. If you rename the .crt file to .txt, double-clicking opens a text editor with PEM content.

CRT soubory vystaveného SSL certifikátu

PB7 (.pb7)

The PB7 format contains the public key and intermediate certificates from the certification authority. Does not contain a private key. The P7B / PKCS # 7 format is saved in Base64 ASCII format and the file has a .p7b or .p7c extension. Defined in RFC 2315 as PKCS number 7. The format used by Windows. Java uses .keystore. It is possible to define a certificate hierarchy for these containers.

CER (.cer), CERT (.cert)

This is a different .pem file extension. Used to indicate the issued certificate. The stored certificate in PEM format is delimited by the header and footer ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----.

Other file types and formats


Certificate Revocation List (CRL) - list of revoked certificates. Certification authorities publish lists of revoked certificates in these lists.

RFC 7468

The proposed standard RFC 7468 (Textual Encodings of PKIX, PKCS, and CMS Structures) describes and standardizes the text coding PKI (Public-Key Infrastructure X.509), PKCS (Public-Key Cryptography Standards) and CMS (Cryptographic Message Syntax).

Back to Help
Found an error or don't understand something? Write us!

CA Sectigo
CA Thawte
CA GeoTrust
CA DigiCert
CA Certum