TLS certificate formats and their use

TLS certificates can have several formats and extensions - pem, cer, der or pfx. We will advise you on how to understand those extensions, how to work with them and how to change the format to the one you need.

Differences between certificate formats

What is the difference between certificates saved as .p7b, .pfx, .p12, .pem, .der, .crt or .cer?
Keep in mind that TLS certificates file extension does not matter. TLS certificate could be safe in the plain text and this is the most common (linux, apache, unix and other servers), or in binary form (Java, Microsoft Server).

The certificate in plain text is saved in Base64 encoding. You can open such file in Notepad (part of Windows) and you see the text which makes the certificate (between BEGIN a END CERTIFICATE).

certificate in text format
Binary files cannot be opened in a text editor (so-called "see nothing").

PEM format

This is the most commonly used format for storing certificates. Most servers (such as Apache or nginx) use the private key and certificate in two separate test files. We often refer to PEM as "text format", because it is encoded in Base64. Base64 is just encoding method (data in ASCII letters), not encryption. You can decode it with many tools.

  • PEM is a Base64 encoded file using ASCII letters.
  • For these certificates the most often used extensions are .cer, .crt, .pem, or .key (typically for private key).
  • This format uses Apache and all servers on Unix/Linux servers.

DER format

DER format is a binary certificate format. It is not a text. you cannot open it for reading or copy like text. This is the main difference from Base64.

  • All certificate types and private key can be stored in DER format.
  • Certificates in DER often have the extension .cer or .der.
  • DER format is used on Java platforms.

P7B/PKCS#7 format

PKCS#7 or P7B extension means one or more Base64 ASCII certificates stored in a .p7b or .p7c file (container).

  • The P7B file contains the certificate and its chain (intermediate certificates) but does not contain the private key.
  • P7B files are most commonly used on the Java Tomcat platform.

PFX/P12/PKCS#12 format

PKCS #12 or PFX/P12 format is a binary format for storing a certificate (including its intermediate) with a private key. Certificates and private key are password protected in the PFX file (container).

  • The most commonly used extension is .pfx and .p12.
  • PKCS#12 (PFX) is very often used on Windows machines to import and export certificates together with a private key.
  • Code signing certificates stored in PFX are also often used for signing with Microsoft Authenticode.

Help with TLS certificates

Is it too much for you?

Write us
Contact form
Has this article been useful?