Certificate Formats – SY0-601 CompTIA Security+ : 3.9

There are many different formats that can be used for certificate storage. In this video, you’ll learn about DER, PEM, PKCS #12, CER, and PKCS #7.

The standard used when we are working with digital certificates is called the X.509 standard. It’s a standard format for these digital certificates. And allows us to move these certs between different systems and have all of those different systems understand what’s inside of these digital certificates.

There are different ways to transfer these certs however. And there are many different file formats that you might find when moving from one system to another. Fortunately, there are applications like OpenSSL that can read different formats or even convert between different formats if we need to.

One of these formats is the DER format or distinguished encoding rules format. This is a set of rules that allows us to encode many different kinds of data but it’s especially useful for these X.509 certificates. It is a binary format, which means that we can’t bring it up in a text editor and read anything that might be in there. But it is a very common format that you’ll see when you’re deploying things for applications using Java.

One of the challenges with sending a binary file over email is that some email systems might modify the attachment. One of the ways that you can prevent this is to encode that binary in base64 format. This means that it will be something that is readable in an email. And you can transfer it simply as text between one device and another.

This means that you now have that DER formatted certificate in an ASCII form that you can easily send through email. If you’re trying to transfer information from one place to another, this might be a very easy way to do that. This is supported across many different platforms and it’s a very standard way to send certificates from one machine to another.

This is all letters and numbers, which makes it very easy to email and it won’t be modified by the email system. And it’s something that you can look at and see exactly when the certificate begins, the certificate information and you’ll know exactly where the end of the certificate might be.

If you need to transfer multiple certificates at one time you might want to use PKCS as number 12. This is the public key cryptography standards number 12. This is a standard that was created by RSA Security and it is now a standard that you’ll find as an RFC.

This is a container format. So you have a standard format that you can put many certificates inside. This is usually sent as .P12 or .PFX file. And we might commonly use this to transfer a private and public key pair within the same container. This also supports the ability to password protect this, which is especially important if you’re transferring a private key.

This is a standard that was extended from a Microsoft format called the PFX format or the personal information exchange. These are very similar formats and very often we reference both of these interchangeably.

If you’re managing certificates in the Windows operating system you’re probably using the CSR format or the certificate format. This is primarily used in Windows and it does provide flexibility for including binary DER format or the ASCII PEM format. This normally contains just the public key because we would probably want to send a private key in a more protected form such as using a password with PFX file. But if you’re running Windows you’re probably using a lot of these .CER files and it’s a very common way to import and export certificates in the Windows operating system.

Another certificate type you might find is PKCS number seven. This is the public key cryptography standards number seven. And you’ll commonly see this sent as .P7B file. Like the PEM format, the PKCS number seven format is also an ASCII file that can be read and easily transferred over email.

It’s common to send certificates and chain certificates using this format. But we don’t commonly use private keys in P7B file. This is a format that you’ll find support for in Windows, in Java Tomcat and many other operating systems and applications as well.