Common standards for digital certificates

* accord with PKI ITU-T X509 standard , Traditional standards (.DER .PEM .CER .CRT)
* accord with PKCS#7 Encryption Message Syntax Standard (.P7B .P7C .SPC .P7R)
* accord with PKCS#10 Certificate request standard (.p10)
* accord with PKCS#12 Personal information exchange standard (.pfx *.p12)
X509 Is the basic specification of digital certificate , and P7 and P12 Two implementation specifications ,P7 For digital envelope ,P12 Certificate implementation specification with private key .

Basic certificate format , Public key only .
x509 Certificate consists of user public key and user identifier . Version number is also included , Certificate serial number ,CA identifier , Signature algorithm identification , Issuer name , Certificate validity and other information .


Public Key Cryptography Standards #7.

PKCS#7 Generally, the certificate is divided into two documents , A public key , A private key , Yes PEM and DER Two coding methods .PEM More often , It's plain text , Commonly used to distribute public keys , What you see is a string of visible strings , Usually .crt,.cer,.key Is the file suffix .DER It's binary code .
PKCS#7 It is mainly used for making digital envelope .


Certificate request syntax .


Public Key Cryptography Standards #12.
A file packaging format , Store and publish user and server private keys for , Public key and certificate specify a portable format , Is a binary format , Usually .pfx or .p12 Is the file suffix .
use OpenSSL Of pkcs12 Commands can create , Parse and read these files .
P12 It's about pressing the certificate into a file ,xxx.pfx
. Mainly consider the distribution of certificates , The private key is absolutely confidential , It can't be spread by text . therefore P7 Format not suitable for distribution ..pfx Password protection can be added in , So it's relatively safe .

PKCS Series standard

actually PKCS#7,PKCS#10,PKCS#12 It's all PKCS Part of a series of standards . It's not a substitute relationship , But the definition of different use scenarios .

Certificate code format

PEM and DER Two coding formats .


Privacy Enhanced Mail
View content , with "-----BEGIN..." start , with "-----END..." ending .
see PEM Information about the format certificate :openssl x509 -in certificate.pem -text -noout
Apache and *NIX The server prefers this encoding format .


Distinguished Encoding Rules
Open to see binary format , unreadable .
see DER Information about the format certificate :openssl x509 -in certificate.der -inform der -text -noout
Java and Windows The server prefers this encoding format .

Various suffix meanings

There is no inevitable relationship between the content of the document and the suffix , But these suffixes are generally used to indicate what kind of file it is .


Java Key Store(JKS).


Certificate request file (Certificate Signing Request).
This is not a certificate , It is an application to obtain a signing certificate from an authoritative certification authority , Its core content is a public key ( Of course, there are some other personal information attached ).
How to view :openssl req -noout -text -in my.csr,DER Format words plus -inform der.


Generally refers to use DER Certificate in format .


Certificate file . It could be PEM format .


Usually used to store a public key or private key .
see KEY Methods :openssl rsa -in mykey.key -text -noout
If it is DER Format words , It should be the same :openssl rsa -in mykey.key -text -noout -inform der
This is the use of RSA Algorithm generated key Look at it like this ,DSA Use of algorithm generation dsa parameter .


Certificate revocation list (Certification Revocation List), Is a signature data structure containing a list of revoked certificates .