PEM is the most common format in which Certificate Authorities (CA) issue certificates. These are more widely used by Unix/Linux users.
If you see “Proc-type” present in a PEM format certificate it means that it is encrypted and these are called as base-64 encoded DER certificates.
The public part of the certificate will be represented in “—–BEGIN PUBLIC KEY—–” and “—–END PUBLIC KEY—–“
Whereas the private part of the certificate will be represented in “—–BEGIN RSA PRIVATE KEY—–” and “—–END RSA PRIVATE KEY—–“.
PEM format can contain any or all of the client/server certificate, intermediate certificate, root CA and the private key.
- They are Base64 encoded ASCII files
- They have extensions such as .pem, .crt, .cer, .key
- Apache and similar servers uses PEM format certificates
DER is a Binary form of ASCII PEM format certificate. All types of Certificates & Private Keys can be encoded in DER format.
This format supports storage of single certificate and does not include private key for the intermediate/root CA.
- They are Binary format files
- They have extensions .cer and .der
DER is typically used in Java platform
This format contains only certificate or certificate chain but does not store the private key.
This format is usually used by CA’s to provide certificate chains to users.
PFX Format (PKCS#12)
PFX is a format for storing a server certificate or any intermediate certificate along with private key in one encrypted file. PFX follows Public Key Cryptography Standard(PKCS). The term PFX is used interchangeably with PKCS#12.