Certificate formats


while working on certificates, we see lot of certificate formats like .csr, .pem, .cer etc.
All this certificates as have different use and different purposes. In the following blog, we would try understanding what does each certificate is, what is meant for.


 Following are few format of certificates



pem format:
extenesion : .pem
full form : Privacy Enhanced Mail (a.k.a)  Privacy-Enhanced Electronic Mail

define:  pem file contains a base 64 format for x509 certificate. A single PEM file can contain a number of certificates and a key
It contains the ‘—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–” statements.

RFC: RFC 1421 - RFC 142

Example:
-----BEGIN CERTIFICATE-----
BQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eSAtIEcy
MTowOAYDVQQLEzEoYykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3Jp
emVkIHVzZSBvbmx5MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMB4X
DTk4MDUxODAwMDAwMFoXDTE4MDUxODIzNTk1OVowgcExCzAJBgNVBAYTAlVTMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE8MDoGA1UECxMzQ2xhc3MgMyBQdWJsaWMg
UHJpbWFyeBALAKISHORESBDGADDAMZXJ0aWZpY2F0aW9uIEF1dGhvc
ml0eSAtIEcyMTowOAYDVQQLEzEosdfsrwerwerDerewrdwmfsinshafafdunerer
YykgMTk5OCBWZXJpU2lnbiwgSW5jLiAtIEZvciBhdXRob3JpemVkIHVzZSBvbmx5
MR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMIGfMA0GCSqGSIb3DQEB
AQUAA4GNADCBiQKBgQDMXtERXVxp0KvTuWpMmR9ZmDCOFoUgRm1HP9SFIIThbbP4
pO0M8RcPO/mn+SXXwc+EY/J8Y8+iR/LGWzOOZEAEaMGAuWQcRXfH2G71lSk8UOg0
13fQpR6g8QhdYLXh7IFACJ0ubJwvt8y9UJnNI8CWpifefyaqKYbfKDD3W
hHcGFOgV
-----END CERTIFICATE-----  



der format:

extension : .der

full form : Distinguished Encoding Rules

define:It is a Binary form of ASCII PEM format certificate. .der extension file must be called as DER encoded Certificate. DER is a set of ASN.1 encoding rules for formatting data in binary. the same is used for certificates.


RFC:  

Example: this file would be in binary format, cannot be viewed in plain text file


csr format:

extension : .csr

full form: Certificate signing request.

define: when ever any server wants to get enable ssl it would generate a csr request to get a digital certificate.

A Certificate Signing Request (CSR) is a PKCS10 request which is an unsigned copy of your certificate. Certificate authority  will use the csr  to generate your signed digital x509 V3 SSL.

This CSR is sent to CA ( certificate authority) to for signing.

It Contains the public key of the requesting system, Distinguished Name (DN), Business name / Organisation, Department Name / Organisational Unit, Country, email.

a .csr request doesn't contain private inside it.

RFC : rfc2986


pfx format (PFX/PKCS#12):

extension : .pfx , .p12

full form :Personal Information Exchange (PFX) Certificate


Define: .pfx file is used to store and transfer certificate. it can contian all types of keys. They are Binary format files.
The PKCS #12 binary certificate package is a password-encrypted package that can contain nearly any type of data.  This PKCS #12 package is similar to a PKCS #7 certificate chain with a private key included



P7B and PKCS7:

extension : .p7b, .p7c

define: It is Base64 encoded ASCII file . It can contain only Certificates and Chain certificates but not contain Private key. 

example :

–BEGIN PKCS—
SDFSDFSDFxx
sdfsdfsdfsdfsdsd
 –END PKCS7—–

The PEM PKCS#7 format uses the header and footer lines:
 -----BEGIN PKCS7-----
 -----END PKCS7-----
For compatibility with some CAs it will also accept:
 -----BEGIN CERTIFICATE-----
 -----END CERTIFICATE-----

Types of Certificates


Following are few certificate types:

  1. CA Certificates
  2. Server Certificates
  3. Client Certificates
  4. S/MIME Certificates
  5. Object Signing Certificates

  CA Certificates:

root certificates a.k.a root certificates can be either certificate authority who issues certificates to all users in a public key infrastructure or a self signed certificates who subject and issuer are the same. Client and server software use CA certificates to determine what other certificates can be trusted.


Famous Roots:
thawte root, verisign, go daddy etc.

where can you view list of trusted root certificates:
Open internet explorer browser -> Tools -> Internet Options-> Content -> Certificates -> Trusted Root Certificates Authorities.
trusted certificates list in internet explorer

If the certificate is not in the trusted list and user tries to access resource over HTTPS, then browsers throw a warning message the certificates in not from trusted site.

As below:
warning from ie browser


Server Certificates:
Server Certificates are used to establish secure connection between client(browser) and web server.
this information allows browser to validate the web server. 

generally server certificated are issued on machine name or web server name 

 where can I see server certificate:
client on https icon on any site which is using HTTPS connection. you can view it..
for blogger uses the below server certificate:



That tells the user that their interaction with the web site has no eavesdroppers and that the web site is exactly who it claims to be. 

Client Certificate:


During ssl transaction, sometimes web server also wants to validate the users before giving the web page to the user. This is where client certificates are used.
User authenticates to server by using client certificate and this authentication requires a client certificate in x.509 format from a CA.

sample client certificate details
Advantages :
Client certificate authentication eliminates the disadvantage of having  weak passwords.

S/MIME Certificates:

S/MIME stands for Secure/Multipurpose Internet Mail Extensions. It provides a method to send and receive messages namely email. this is used for encryption and decryption of mails.

Famous examples include S/MIME Certificates blackberry.


webmail clients (Gmail, Hotmail, Yahoo), do not support SMIME certificates.
desktop email client like Microsoft outlook , Mozilla Thunderbird support S/MIME certificates.
 

Object Signing Certificates:

All the programmer would be knowing about this. This is used to sign DLL's (Dynamic-link library) , jars and any software that is shipped to customer.
Most of the enterprise software's are signed for integrity check.