13

Bit of a silly question, but:

What kind of file(s) do you get when you buy an SSL certificate from a trusted CA?

Is there a .pfx file?

I'm working on a small tool to manage SSL certificates, but I'm not sure exactly what kind of certificates I'll be dealing with besides the self-signed ones that I create myself.

Thanks!

Cameron
  • 96,106
  • 25
  • 196
  • 225

1 Answers1

14

.pfx file extension is one. The below text from IBM has some indepth information.

Certificate file types

Certificates and keys are stored in several types of files.

Files that store certificates and keys can have the following formats:

.pem

A privacy-enhanced mail file, which has a file extension of .pem, begins and ends with the following lines:

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

A privacy-enhanced mail format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates.

.arm

A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate, including its public key, but not its private key. An .arm format is generated and used by the IBM® Key Management utility. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.

.der

A file with an extension of .der contains binary data. This format can be used only for a single certificate, unlike a file with a privacy-enhanced mail format, which can contain multiple certificates. Specify this format to extract a self-signed certificate from the machine on which the self-signed certificate was generated to the machine that will use the self-signed certificate as the CA certificate.

.pfx (PKCS12)

A PKCS12 file, which has an extension of .pfx, contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate machine. For example, you can create and install a certificate and private key using key management utility, export the certificate and key to a PKCS12 file, then import the file into another keystore. This format is also useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file using the IBM Key Management utility, then import the file on another machine using the OpenSSL CertTool utility.

The text above is a verbatim copy from IBM Eclipse Help.

jweyrich
  • 31,198
  • 5
  • 66
  • 97
Daniel
  • 362
  • 2
  • 10
  • P7B is another not mentioned in the link – Daniel Aug 11 '11 at 19:36
  • 3
    +1. I hope you don't mind my edit. Additionally, `.p12` and `.pfx` are interchangeable file extensions. Yet more, `.key` generally contains only the private key, while `.crt` contains only a public key (the certificate itself). – jweyrich Aug 11 '11 at 19:40
  • 1
    @jweyrich: And based on my experience today, I think .cer is equivalent to .crt – Cameron Aug 11 '11 at 19:46
  • Thanks Daniel, it looks like I'll only have to support .pfx files, since I need a private key (and those seem to be the only files that have one embedded) – Cameron Aug 11 '11 at 19:47
  • 1
    @Cameron: both of your assertions are correct. `.crt` and `.cer` are also interchangeable. `.p12` is the best choice IMO, but you can also just concat your `.crt` and `.key` if you don't want a password-protected file. However, this imposes a limitation when importing the certificate in your browser for authentication. – jweyrich Aug 11 '11 at 19:57