Overview#Certificate File Formats are used as Certificates are a binary format. Certificates maybe encoded in using different Encoding formats. Base64 Encoding X.509 is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME), which is a popular, standard method for transferring binary attachments over the Internet.
- Base64 Encoding does NOT support storage of a Certificate Chain.
- Base64 Encoding does NOT support storage of a Private Key.
Because all MIME-compliant clients can decode Base64 files, this format might be used by Certificate Authority that are not on computers running Windows Server 2003, so it is supported for interoperability. Base64 certificate files might use the .cer extension.
Privacy-Enhanced Mail (PEM) (Usually same as the base64)#Privacy-Enhanced Mail certificates usually have extensions such as .pem, .crt, .cer, and .key. Distinguished Encoding Rules (Distinguished Encoding Rules) (DER) supports only a single Certificate:
- DER Encoding does NOT support storage of a Certificate Chain.
- DER Encoding does NOT support storage of a Private Key.
File System extensions#
- *.crt - Probably this is most likely Privacy-Enhanced Mail
- Language is ASN.1
- Implemented in RSAREF and BSAFE libraries
- Standards from IETF PKIX working group are a superset and generally compatible
- Three parts; all are optional
- Signature (with signer information)
- Include all three: opaque signing
- Omit content: detached signature
- Only certificates: "certs only"
- Used for set/list/chain of Certificate Chain
- File extension = .p7c (or .p7b)
- IETF Standard for "secure electronic mail"
- Digital signatures
- Need canonical form of message to be signed
- Other information for recipient
- Certificates for verification
- Sender's public encryption key (certificate)
- Sender's cryptographic algorithms
Example S/MIME (Signed)#
From: Eric Norman <firstname.lastname@example.org> MIME-version: 1.0 Content-type: multipart/signed; protocol="application/pkcs7-signature"; boundary=Apple-Mail-3-2162327; micalg=sha1 --Apple-Mail-3-2162327 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Message text --Apple-Mail-3-2162327 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGQzCCAsMw ggIsoAMCAQICAgMzMA0GCSqGSIb3DQEBBAUAMIG3MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lz ... snip ... icLcyxUobN5sT+ttMbm1S6Q+6wAAAAAAAA== --Apple-Mail-3-2162327--Netscape Certificate Sequence is another PKCS#7 object format, and like the SignedData format, it allows multiple certificates to be imported together. This format is simpler than the PKCS#7 SignedData object format. It consists of a PKCS#7 ContentInfo structure, wrapping a sequence of certificates.