Certificate Encoding#

Certificates maybe encoded in using different Encoding formats.

Base64 Encoded X.509 #

This is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME), which is a popular, standard method for transferring binary attachments over the Internet.

Because all MIME-compliant clients can decode Base64 files, this format might be used by certification authorities that are not on computers running Windows Server 2003, so it is supported for interoperability. Base64 certificate files might use the .cer extension.

Privacy-Enhanced Mail (PEM) (Usually same as the base64)#

Privacy-Enhanced Mail certificates usually have extentions such as .pem, .crt, .cer, and .key.

Distinguished Encoding Rules (Distinguished Encoding Rules)#

Distinguished Encoding Rules (Distinguished Encoding Rules)

Canonical Encoding Rules (CER)#

Often, some one will provide a Certificate and imply it is in Canonical Encoding Rules. Usually, certificates would not be exported in Canonical Encoding Rules format and the certificate is most likley Privacy-Enhanced Mail.


Probably this is Privacy-Enhanced Mail

Public-Key Cryptography Standards (PKCS)#

Produced by RSA Labs. Specifies format of objects used during public key operations In cryptography, PKCS refers to a group of Public-Key Cryptography Standards devised and published by RSA Security.
  • Language is ASN.1
  • Implemented in RSAREF and BSAFE libraries
  • Standards from IETF PKIX working group are a superset and generally compatible


An envelope that can store multiple certificates in PEM or DER format. RFC 2315 for detailed specifications. Does not include any certificate Private Keys.

Bundle Contains#

  • Three parts; all are optional
  • Include all three: opaque signing
  • Omit content: detached signature
  • Only certificates: "certs only"


Similar to PKCS#7, PKCS#12 is a standard for storing Private Keys and certificates securely. PKCS#7 defines a file format commonly used to store Private Keys with accompanying Public Key certificates protected with a password-based symmetric Key.


  • IETF Standard for "secure electronic mail"
  • Digital signatures
    • Need canonical form of message to be signed
  • Encryption
  • Other information for recipient
    • Certificates for verification
    • Sender's public encryption key (certificate)
    • Sender's cryptographic algorithms

Example S/MIME (Signed)#

From: Eric Norman <ejnorman@doit.wisc.edu>
MIME-version: 1.0
Content-type: multipart/signed; protocol="application/pkcs7-signature";
boundary=Apple-Mail-3-2162327; micalg=sha1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message text
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Disposition: attachment; filename=smime.p7s
... snip ...

Netscape Certificate Sequence#

Netscape Certificate Sequence is another PKCS#7 object format, and like the SignedData format, it allows multiple certificates to be imported together. This format is simpler than the PKCS#7 SignedData object format. It consists of a PKCS#7 ContentInfo structure, wrapping a sequence of certificates.

More Information#

There might be more information for this subject on one of the following:

Add new attachment

Only authorized users are allowed to upload new attachments.
« This page (revision-45) was last changed on 19-Jun-2017 12:08 by jim