I am responsible for maintaining two Debian servers. Every time I have to do anything with security certificates, I Google for tutorials and beat away until it finally works.
However, in my searches I often come across different file formats (.key
, .csr
, .pem
) but I've never been able to find a good explanation of what each file format's purpose is.
I was wondering if the good folks here at ServerFault could provide some clarification on this matter?
Best Answer
SSL has been around for long enough you'd think that there would be agreed upon container formats. And you're right, there are. Too many standards as it happens. In the end, all of these are different ways to encode Abstract Syntax Notation 1 (ASN.1) formatted data — which happens to be the format x509 certificates are defined in — in machine-readable ways.
/etc/ssl/certs
), or may include an entire certificate chain including public key, private key, and root certificates. Confusingly, it may also encode a CSR (e.g. as used here) as the PKCS10 format can be translated into PEM. The name is from Privacy Enhanced Mail (PEM), a failed method for secure email but the container format it used lives on, and is a base64 translation of the x509 ASN.1 keys./etc/ssl/private
. The rights on these files are very important, and some programs will refuse to load these certificates if they are set wrong.openssl pkcs12 -in file-to-convert.p12 -out converted-file.pem -nodes
A few other formats that show up from time to time:
openssl x509 -inform der -in to-convert.der -out converted.pem
). Windows sees these as Certificate files. By default, Windows will export certificates as .DER formatted files with a different extension. Like....keystore
as an extension instead. Unlike .pem style certificates, this format has a defined way to include certification-path certificates.In summary, there are four different ways to present certificates and their components:
I hope this helps.