X.509 Certificate and Key Formats

Article:TECH179202  |  Created: 2012-01-17  |  Updated: 2012-09-06  |  Article URL http://www.symantec.com/docs/TECH179202
Article Type
Technical Solution


Subject

Issue



This article provides information on x.509 certificates.

 


Solution



 X.509 is the standard that defines the certificate context and layout. The most common algorithm for creating public and private keys are RSA and DSA, and keys are often referred to as RSA keys or DSA keys.

 
The following list details the most common standard formats for certificate files.
 
  • DER :
This certificate file may contain :
 
         a.     Private keys (RSA or DSA)
         b.     Public keys (RSA or DSA) and      
         c.      X.509 certificates.
         d.     This does not contain headers.
 
It is the default format for most browsers. One single file contains only one certificate and optionally the certificate can be encrypted. The standard extension is .cer, but might be .der in some installations.
 
  • PEM :
This certificate file may contain :
 
       a.     Private keys (RSA or DSA)
          b.     Public keys (RSA or DSA)
          c.      X.509 certificates.
          d.     It contains ASCII headers.
 
      This is the default format for OpenSSL. It stores the data in either ASN.1 or DER format, surrounded  by ASCII headers, so it is suitable for sending files as text between systems. One file may contain multiple certificates. The standard extension is .pem.
 
  • PKCS#12 :   This format is also known as PFX.
This certificate file may contain :
 a
       a.     Private keys (RSA or DSA).
          b.     Public keys (RSA or DSA).
          c.      X.509 certificates.
 
 It stores them in a binary format. The standard extension is .pfx or .p12.
 
  • PKCS #7 :  This is the Cryptographic Message Syntax Standard.
This certificate file may contain :
 
       a.     Multiple certificates.
         b.      May have a private key.
 
      They may be hashed. Optional certificate may be contain a private key.
 
There are four versions of PKCS #7 certificates. The standard extensions for these four versions are :
 
.spc
.p7a
.p7b
.p7c.



Article URL http://www.symantec.com/docs/TECH179202


Terms of use for this information are found in Legal Notices