When you purchase SSL certificates, you probably start by looking out for reputed SSL providers who are offering the best deal. In that case, you are not alone, and there are very few who go deeper into the technical aspects, such as SSL certificate formats and extensions. If you have no clue about what that means or how it affects the overall functioning of the SSL certificate, we’ve got you covered.
This article will tell you everything there is to know about SSL certificate formats and the difference between them. Also, we’ll try to do that in the most non-technical manner, so let’s dive into it.
What is an SSL Certificate Format?
The SSL format refers to the file format or extension of the file in which the digital certificate or the keys are stored and/or transmitted. There are many types available like the PEM, DER, and several others that we shall soon discuss. With a wide range of servers and devices out there, it becomes essential to understand their capabilities and the technologies with which they are compatible.
Not all SSL formats can be installed on every server type, and each is compatible only with certain types. Ones that facilitate SSL certificates usually require a specific type of file which is basically the digital certificate. It needs to be in a particular format, and that’s why it is essential to know this aspect of SSL beforehand.
Basically, the SSL/TLS certificate is a digital certificate that comes with the Certificate Authority’s digital signature and uses cryptographic keys to encrypt server-client communication. From the point when you buy SSL certificate to when it is issued, there are three files involved — CSR, Private key, and Public Key — which usually come in separate files. For the SSL to start working, these certificates must be installed on the server.
Since there are many different types of servers and devices, you inevitably have SSL or TLS, which can be encoded or formatted in a compatible manner. The learning curve is steep, but it begins with understanding the fact that there are different SSL formats, and you need to find one that your server or device supports. While some tend to support multiple SSL formats, there are those which require very specific file type and encoding, so that’s a server or device-specific criteria. We shall now elaborately discuss the different SSL formats and their individual traits.
Different SSL Certificate Formats
Now that we have discussed what SSL formats are, let us dive deeper into the various types, but before that, let’s get a few concepts straight. SSL certificates make use of the public key infrastructure or the PKI. This involves using a public-private key pair, in which the public key encrypts while the private key decrypts the data exchanged between the server and the client. This data is stored and exchanged as files that come with different types of extensions, which are suitable for different servers. We shall now discuss them, starting with the most popular SSL format type. When you buy SSL certificates, you ought to know the server type and the extensions it is compatible with.
The Privacy-Enhanced Mail (PEM) format is not a new innovation and dates back to the 1993 IEFT Standards. The reason for its widespread adoption is the ease with which one can convert it into a readable format — something that can be done with almost any text editor. It is, therefore, the most preferred and widely accepted format to store certificates.
It is also referred to as the text format file because the PEM is encoded in Base64 and can be decoded easily. Its simplicity and ease of use have made it one of the most preferred formats for storing and exchanging cryptographic keys and certificates across the globe. Primarily, there are three types of PEM files — the Certificate Signing Request (CSR) in PEM format, one containing the private key and the other the public key.
These can be identified based on the content inside the certificate. Just a glance at the Begin and the End statement, which is also known as the header and footer of the file, can clarify that. If it starts with something like ‘Begin Certificate Request’ and concludes with ‘End Certificate Request,’ then you can be sure that it is the CSR. There are usually two separate files for the public and private keys, but sometimes, there could be just one. This can again be confirmed by looking at the Begin and End statements which would mention which key is embedded within.
A Snapshot of PEM
The PEM was introduced in the 1993 IEFT Standards.
A PEM file can contain the CSR, Private Key, or Public key.
The commonly used extensions are. pem,.cer,.crt,.key.
PKCS#7 is a standard created by the RSA laboratories and belongs to the Public Key Cryptography Standards (PKCS). It is the most recent version, the 1.5, better known as RFC 2315, including all the latest updates. As an ASCII-encoded format, it uses the Begin PKCS7 and End PKCS7 commands just like the PEM but comes with certain limitations. PKCS#7 can only store the certificates and chain certificates but not the cryptographic keys. It is encoded in the BASE64 and can be stored as either PEM or DER files.
A Snapshot of PKCS#7
It is a standard coined by the RSA laboratories based on the Public Key Cryptography Standards.
PKCS#7 can only store certificates, not the keys.
PKCS#7 can be stored as PEM or raw DER files.
The Distinguished Encoding Rules (DER) is the main serialization format of the ASN.1, which has been constantly revised over the years. A DER variant is often used instead of the PEM format, but you must know that the DER can be further encoded into the PEM format. It is a binary type of certificate that may have either the .der or .cer file extension. Since both PEM and DER have the .cer extension, users are often confused about it. To get clarity on this, open the file in the text editor and check the begin and end commands.
In the PEM file, these commands would be available to declare if it is a CSR, Private Key, or Public Key. However, in the DER, these commands would not be available; instead, there would be illegible text in binary format. Basically, the DER format is a binary format, unlike the PEM, which is in ASCII. Here, the keys are encoded in ASN.1 description, independent of any specific programming language and can be read by both humans and machines. All digital certificates and cryptographic keys can be encoded in this format, which is often used along with Java platforms.
A Snapshot of DER
The DER is an ASN.1 serialization format.
The DER encoded files are available as the .der or .cer extensions.
DER format encodes files in binary format, and the text appears illegible.
This format can be used to encrypt certificates and keys.
PFX Format (PKCS#12)
The .pfx file, which is basically a cryptographic archive file in the PKCS#12 format, comes with internal storage containers commonly referred to as safe bags. These files can contain everything from CRLs, and certificates to the keys and can be encrypted and signed. Generally, these come with two extensions — .pfx and. p12. However, the Windows servers use the .pfx, which comes with both the public key and the corresponding private key. Like PKCS#7, PKCS#12 also belongs to the Public Key Cryptography Standards rolled out by the RSA Laboratories.
Differences between certificate formats
PEM vs. DER
The PEM is a text format file, while the DER is a binary file that can eventually be encoded in the PEM or DER format and accessed with a text editor. Sometimes, both use the .cer extension, which creates all the trouble, but the syntax clarifies the content’s format.
PEM vs PKCS#7
The PKCS#7 format is appropriate only to store certificates but not cryptographic keys, while the PEM can store both certificates and keys, which makes it a more comprehensive solution. Both make use of the BASE64 ASCII encoding but with different levels of restrictions. Both come with header and footers because they use the same syntax, but that is it. Beyond this, the two SSL formats are entirely different, and undoubtedly the PEM is a better solution unless your ecosystem needs the PKCS#7 encoding.
We have discussed some of the most popularly deployed SSL formats that you need to know before you buy SSL certificates for your business. So, always make it a point to ask your web hosting service provider about the formats the server is compatible with and discuss that with the SSL providers you shortlist before you purchase the SSL certificate for your website. Although this might take some time, you can be sure that it would be a fruitful investment.