Common standards for digital certificates

* accord withPKI ITU-T X509 standard, Traditional standard(.DER .PEM .CER .CRT)
* accord withPKCS#7 Encryption Message Syntax Standard(.P7B .P7C .SPC .P7R)
* accord withPKCS#10 Certificate request standard(.p10)
* accord withPKCS#12 Personal information exchange standard(.pfx *.p12)
X509 Is the basic specification of digital certificate, andP7 andP12 Two implementation specifications,P7 For digital envelope,P12 Certificate implementation specification with private key.

Basic certificate format, Public key only.
x509 Certificate consists of user public key and user identifier. Version number is also included, Certificate serial number,CA identifier, Signature algorithm identification, Issuer name, Certificate validity and other information.


Public Key Cryptography Standards #7.

PKCS#7 Generally, the certificate is divided into two documents, A public key, A private key, YesPEM andDER Two coding methods.PEM More common, It's plain text, Commonly used to distribute public keys, What you see is a string of visible strings, Usually with.crt,.cer,.key Is the file suffix.DER It's binary code.
PKCS#7 It is mainly used for making digital envelope.


Certificate request syntax.


Public Key Cryptography Standards #12.
A file packaging format, Store and publish user and server private keys for, Public key and certificate specify a portable format, Is a binary format, Usually with.pfx or.p12 Is the file suffix.
UseOpenSSL Ofpkcs12 Commands can create, Parse and read these files.
P12 It's about pressing the certificate into a file,xxx.pfx
. Mainly consider the distribution of certificates, The private key is absolutely confidential, It can't be spread by text. thereforeP7 Format not suitable for distribution..pfx Password protection can be added in, So it's relatively safe.

PKCS Series standard

ActuallyPKCS#7,PKCS#10,PKCS#12 All arePKCS Part of a series of standards. It's not a substitute relationship, But the definition of different use scenarios.

Certificate code format

PEM andDER Two coding formats.


Privacy Enhanced Mail
View content, with"-----BEGIN..." Start, with"-----END..." Ending.
SeePEM Information about the format certificate:openssl x509 -in certificate.pem -text -noout
Apache and*NIX The server prefers this encoding format.


Distinguished Encoding Rules
Open to see binary format, unreadable.
SeeDER Information about the format certificate:openssl x509 -in certificate.der -inform der -text -noout
Java andWindows The server prefers this encoding format.

Various suffix meanings

There is no inevitable relationship between the content of the document and the suffix, But these suffixes are generally used to indicate what kind of file it is.


Java Key Store(JKS).


Certificate request file(Certificate Signing Request).
This is not a certificate, It is an application to obtain a signing certificate from an authoritative certification authority, Its core content is a public key( Of course, there are some other personal information attached).
How to view:openssl req -noout -text -in my.csr,DER Format words plus-inform der.


Generally refers to useDER Certificate in format.


Certificate file. Could bePEM format.


Usually used to store a public key or private key.
SeeKEY Ways:openssl rsa -in mykey.key -text -noout
If it isDER Format words, It should be the same:openssl rsa -in mykey.key -text -noout -inform der
This is used.RSA Algorithm generatedkey Look at it this way,DSA Use of algorithm generationdsa parameter.


Certificate revocation list (Certification Revocation List), Is a signature data structure containing a list of revoked certificates.