Certificate types PEM, DER, PKCS#7 and PKX(PKCS#12)

PEM Format
PEM is the most common format in which Certificate Authorities (CA) issue certificates. These are more widely used by Unix/Linux users.
If you see “Proc-type” present in a PEM format certificate it means that it is encrypted and these are called as base-64 encoded DER certificates.
The public part of the certificate will be represented in 
Whereas the private part of the certificate will be represented in  “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“.
PEM format can contain any or all of the client/server certificate, intermediate certificate, root CA and the private key.

  • They are Base64 encoded ASCII files
  • They have extensions such as .pem, .crt, .cer, .key
  • Apache and similar servers uses PEM format certificates

DER Format
DER is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format.
This format supports storage of single certificate and does not include private key for the intermediate/root CA.

  • They are Binary format files
  • They have extensions .cer and .der

DER is typically used in Java platform

This format contains only certificate or certificate chain but does not store the private key.
This format is usually used by CA’s to provide certificate chains to users.

PFX Format (PKCS#12)
PFX is a format for storing a server certificate or any intermediate certificate along with private key in one encrypted file. PFX follows Public Key Cryptography Standard(PKCS). The term PFX is used interchangeably with PKCS#12.

Hits: 163