Private keys and certificates can be stored in a variety of formats, which means that you’ll often need to convert them from one format to another. The most common formats are:
- Binary (DER) certificate
-
Contains an X.509 certificate in its raw form, using DER ASN.1 encoding.
- ASCII (PEM) certificate(s)
-
Contains a base64-encoded DER certificate, with
-----BEGIN CERTIFICATE-----used as the header and-----END CERTIFICATE-----as the footer. - Binary (DER) key
-
Contains a private key in its raw form, using DER ASN.1 encoding. OpenSSL creates keys in its own traditional (SSLeay) format. There’s also an alternative format called PKCS#8 (defined in RFC 5208), but it’s not widely used. OpenSSL can convert to and from PKCS#8 format using the
pkcs8command. - ASCII (PEM) key
-
Contains a base64-encoded DER key, sometimes with additional metadata (e.g., the algorithm used for password protection).
- PKCS#7 certificate(s)
-
A complex format designed for the transport of signed or encrypted data, defined in RFC 2315. It’s usually seen with
.p7band.p7cextensions and can include the entire certificate chain as needed. This format is supported by Java’skeytoolutility. - PKCS#12 (PFX) key and certificate(s)
-
A complex format that can store and protect a server key along with an entire certificate chain. It’s commonly seen with
.p12and.pfxextensions. This format is commonly used in Microsoft products, but is also used for client certificates. These days, the PFX name is used as a synonym for PKCS#12, even though PFX referred to a different format a long time ago (an early version of PKCS#12). It’s unlikely that you’ll encounter the old version anywhere.