Dev Solve

English

中文
日本語

English

中文
日本語

Appearance

Related Posts

Adding Trusted Root CA Certificates to Alpine Docker Containers

SSL Error: Unsafe Legacy Renegotiation Disabled

Vite HTTPS on Localhost

SSL Provider Error: [error:1416F086] with ODBC Driver 18 for SQL Server

libssl.so.1.1 missing on Ubuntu

PEM, CRT, and KEY Files: Understanding SSL/TLS Certificate Formats

When working with SSL/TLS certificates, the various file extensions can be confusing. This guide clarifies the differences between common certificate and key file formats and provides practical examples for working with them.

Core Concepts: Public Key Infrastructure (PKI)

PKI uses asymmetric cryptography with two related keys:

  • Private Key: Kept secret, used to decrypt data and create digital signatures
  • Public Key: Shared publicly, used to encrypt data and verify signatures
  • Certificate: Binds a public key to an identity, verified by a Certificate Authority (CA)

Common File Types and Their Meanings

Private Key Files (.key)

Typically contain the private key portion of a key pair. These must be kept secure and never shared publicly.

bash
# Example private key content
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC7...
-----END PRIVATE KEY-----

Certificate Files (.crt, .cer)

Contain the public key certificate, usually issued by a Certificate Authority. These are meant to be distributed publicly.

bash
# Example certificate content
-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKL7wQ8O3uX5MA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
-----END CERTIFICATE-----

PEM Format (.pem)

A base64-encoded container format that can store certificates, private keys, or other cryptographic objects. The content determines what type of data it contains.

bash
# Could be a certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

# Or a private key  
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

# Or other cryptographic objects

PKCS#12 Files (.p12, .pfx)

Binary format that can contain both the private key and certificate chain, protected by a password.

Certificate Signing Request (.csr)

A request to a Certificate Authority to issue a certificate for your public key.

bash
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCVVMxDTALBgNVBAgMBFV0YWgxDTALBgNV
-----END CERTIFICATE REQUEST-----

DER Format (.der)

A binary encoding format for certificates and keys, as opposed to PEM's base64 encoding.

File Extension Reality Check

WARNING

File extensions are primarily conventions - the actual content matters more than the extension. You can rename a .crt file to .pem and it will still work if the content is identical.

Generating Self-Signed Certificates

Here are the common OpenSSL commands to generate self-signed certificates:

bash
# Generates both private key and certificate in one step
openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 \
  -keyout privateKey.key -out certificate.crt
bash
# Similar command with different naming convention
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 \
  -keyout key.pem -out cert.pem

Creating PKCS12 and JKS Keystores

To convert between formats for Java applications:

bash
# Create a PKCS12 file from PEM files
openssl pkcs12 -export -in user.pem -inkey user.key \
  -certfile user.pem -out testkeystore.p12
bash
# Convert PKCS12 to Java Keystore (JKS)
keytool -importkeystore -srckeystore testkeystore.p12 \
  -srcstoretype pkcs12 -destkeystore wso2carbon.jks \
  -deststoretype JKS

Practical Workflow for Web Servers

A typical SSL certificate setup involves:

  1. Generate private key: openssl genrsa -out domain.key 2048
  2. Create CSR: openssl req -new -key domain.key -out domain.csr
  3. Submit CSR to CA for signing (or self-sign)
  4. Install certificate and private key on server
  5. Configure web server to use the certificate files

Best Practices

  1. Keep private keys secure with appropriate file permissions
  2. Use strong passphrases for encrypted private keys
  3. Regularly rotate certificates before they expire
  4. Choose appropriate key sizes (2048-bit RSA or higher)
  5. Verify file contents when troubleshooting - don't rely solely on extensions

Summary

File TypeTypical ContentUsage
.keyPrivate KeyServer-side, keep secure
.crt, .cerCertificatePublic distribution
.pemVarious (base64)Flexible container format
.p12, .pfxKey + CertificatePassword-protected bundle
.csrCertificate RequestSubmit to Certificate Authority

Understanding these file types and their purposes will help you properly configure SSL/TLS for your applications and avoid common configuration errors.