Overview#
Certificate Formats are used as Certificates are a binary format.These are the most common Certificate Formats:
- Privacy-Enhanced Mail (PEM) (Often referred to as base64)
- Distinguished Encoding Rules (DER)
- PKCS#7
- PFX Format (PKCS#12)
Certificate Formats Encoding#
Certificates maybe encoded in using different Encoding formats.Base64 Encoding X.509 #
Base64 Encoding X.509 is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME), which is a popular, standard method for transferring binary attachments over the Internet.- Base64 Encoding does NOT support storage of a Certificate Chain.
- Base64 Encoding does NOT support storage of a Private Key.
Because all MIME-compliant clients can decode Base64 files, this format might be used by Certificate Authority that are not on computers running Windows Server 2003, so it is supported for interoperability. Base64 certificate files might use the .cer extension.
Privacy-Enhanced Mail (PEM) (Often referred to as base64)#
Privacy-Enhanced Mail certificates usually have extensions such as .pem, .crt, .cer, and .key.Distinguished Encoding Rules (DER)#
Distinguished Encoding Rules (Distinguished Encoding Rules) (DER) supports only a single Certificate:- DER Encoding does NOT support storage of a Certificate Chain.
- DER Encoding does NOT support storage of a Private Key.
Canonical Encoding Rules (CER)#
Often, someone will provide a Certificate and imply it is in Canonical Encoding Rules. Usually, certificates would not be exported in Canonical Encoding Rules format and the certificate is most likely Privacy-Enhanced Mail.File System extensions#
- *.crt - Probably this is most likely Privacy-Enhanced Mail
Public-Key Cryptography Standards (PKCS)#
Produced by RSA Labs. Specifies format of objects used during public key operations In cryptography, PKCS refers to a group of Public-Key Cryptography Standards devised and published by RSA Security.- Language is ASN.1
- Implemented in RSAREF and BSAFE libraries
- Standards from IETF PKIX working group are a superset and generally compatible
PKCS#7#
An envelope that can store multiple certificates in PEM or DER format. RFC 2315 for detailed specifications.- PKCS#7 supports storage of a Certificate Chain.
- PKCS#7 does NOT support storage of a Private Key.
PKCS#12#
Similar to PKCS#7, PKCS#12 is a standard for storing Private Keys and certificates securely. PKCS#7 defines a file format commonly used to store Private Keys with accompanying Public Key certificates protected with a password-based symmetric Key.- PKCS#12 supports storage of a Certificate Chain.
- PKCS#12 supports storage of a Private Key.
Bundle Contains#
- Three parts; all are optional
- Certificates
- Content
- Signature (with signer information)
- Include all three: opaque signing
- Omit content: detached signature
- Only certificates: "certs only"
- Used for set/list/chain of Certificate Chain
- File extension = .p7c (or .p7b)
S/MIME#
- IETF Standard for "secure electronic mail"
- Digital signatures
- Need canonical form of message to be signed
- Encryption
- Other information for recipient
- Certificates for verification
- Sender's public encryption key (certificate)
- Sender's cryptographic algorithms
Example S/MIME (Signed)#
From: Eric Norman <ejnorman@doit.wisc.edu> MIME-version: 1.0 Content-type: multipart/signed; protocol="application/pkcs7-signature"; boundary=Apple-Mail-3-2162327; micalg=sha1 --Apple-Mail-3-2162327 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII; format=flowed Message text --Apple-Mail-3-2162327 Content-Transfer-Encoding: base64 Content-Type: application/pkcs7-signature; name=smime.p7s Content-Disposition: attachment; filename=smime.p7s MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIGQzCCAsMw ggIsoAMCAQICAgMzMA0GCSqGSIb3DQEBBAUAMIG3MQswCQYDVQQGEwJVUzESMBAGA1UECBMJV2lz ... snip ... icLcyxUobN5sT+ttMbm1S6Q+6wAAAAAAAA== --Apple-Mail-3-2162327--