Certificate Formats


Certificate Formats are used as Certificates are a binary format.

These are the most common Certificate Formats:

Certificate Formats Encoding#

Certificates maybe encoded in using different Encoding formats.

Base64 Encoding X.509 #

Base64 Encoding X.509 is an encoding method developed for use with Secure/Multipurpose Internet Mail Extensions (S/MIME), which is a popular, standard method for transferring binary attachments over the Internet.

Because all MIME-compliant clients can decode Base64 files, this format might be used by Certificate Authority that are not on computers running Windows Server 2003, so it is supported for interoperability. Base64 certificate files might use the .cer extension.

Privacy-Enhanced Mail (PEM) (Often referred to as base64)#

Privacy-Enhanced Mail certificates usually have extensions such as .pem, .crt, .cer, and .key.

Distinguished Encoding Rules (DER)#

Distinguished Encoding Rules (Distinguished Encoding Rules) (DER) supports only a single Certificate:

Canonical Encoding Rules (CER)#

Often, someone will provide a Certificate and imply it is in Canonical Encoding Rules. Usually, certificates would not be exported in Canonical Encoding Rules format and the certificate is most likely Privacy-Enhanced Mail.

File System extensions#

Public-Key Cryptography Standards (PKCS)#

Produced by RSA Labs. Specifies format of objects used during public key operations In cryptography, PKCS refers to a group of Public-Key Cryptography Standards devised and published by RSA Security.
  • Language is ASN.1
  • Implemented in RSAREF and BSAFE libraries
  • Standards from IETF PKIX working group are a superset and generally compatible


An envelope that can store multiple certificates in PEM or DER format. RFC 2315 for detailed specifications.


Similar to PKCS#7, PKCS#12 is a standard for storing Private Keys and certificates securely. PKCS#7 defines a file format commonly used to store Private Keys with accompanying Public Key certificates protected with a password-based symmetric Key.

Bundle Contains#

  • Three parts; all are optional
  • Include all three: opaque signing
  • Omit content: detached signature
  • Only certificates: "certs only"


  • IETF Standard for "secure electronic mail"
  • Digital signatures
    • Need canonical form of message to be signed
  • Encryption
  • Other information for recipient
    • Certificates for verification
    • Sender's public encryption key (certificate)
    • Sender's cryptographic algorithms

Example S/MIME (Signed)#

From: Eric Norman <ejnorman@doit.wisc.edu>
MIME-version: 1.0
Content-type: multipart/signed; protocol="application/pkcs7-signature";
boundary=Apple-Mail-3-2162327; micalg=sha1
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=US-ASCII; format=flowed
Message text
Content-Transfer-Encoding: base64
Content-Type: application/pkcs7-signature; name=smime.p7s
Content-Disposition: attachment; filename=smime.p7s
... snip ...

Netscape Certificate Sequence#

Netscape Certificate Sequence is another PKCS#7 object format, and like the SignedData format, it allows multiple certificates to be imported together. This format is simpler than the PKCS#7 SignedData object format. It consists of a PKCS#7 ContentInfo structure, wrapping a sequence of certificates.

More Information#

There might be more information for this subject on one of the following: