Complete Guide to Certificate and Key File Extensions: PEM, CRT, DER, PFX, and More
If you've ever set up a web server (like Nginx or Apache), managed SSH keys, or worked with digital signatures, you've likely encountered a confusing array of file extensions: .pem, .crt, .cer, .der, .p12, .pfx, .key, .csr, and more.
Are they all the same? Can you just rename them? This guide will demystify these extensions, explain what's inside them, and show you how to work with them effectively.
Why are there so many extensions?
The confusion stems from two main things:
- The Standard (X.509): This is the international standard for public key certificates.
- The Encoding: How the certificate data is actually stored in the file (Base64 ASCII vs. Binary).
Essentially, different platforms (Windows vs. Linux), different servers (IIS vs. Nginx), and different protocols (SSL/TLS vs. SSH vs. PGP) have historically preferred different ways of storing the same underlying cryptographic information.
Quick Reference Table: Common Certificate & Key Extensions
| Extension | Format | Description | Common Use |
|---|---|---|---|
.pem |
ASCII (Base64) | Privacy Enhanced Mail | Web servers (Nginx, Apache), SSL/TLS certificates, private keys |
.crt, .cer |
ASCII or Binary | Certificate | Public certificates only (no private keys) |
.der |
Binary | Distinguished Encoding Rules | Java platforms, Windows (often used for specific CA certificates) |
.key |
ASCII or Binary | Private Key | The matching private key for a public certificate |
.csr |
ASCII (Base64) | Certificate Signing Request | The file sent to a CA to request a signed certificate |
.p12, .pfx |
Binary | PKCS#12 Archive | Bundling a certificate and its private key into one password-protected file |
.p7b, .p7c |
ASCII (Base64) | PKCS#7 / CMS | Exporting certificate chains (no private keys) |
.asc, .sig, .gpg |
ASCII or Binary | PGP / OpenPGP | Digital signatures, encrypted emails, and software verification |
1. X.509 Certificate Encodings (The "Big Three")
PEM (Privacy Enhanced Mail) — .pem, .crt, .cer, .key
This is the most common format you'll encounter on Linux and Web servers. It's an ASCII (text-based) format that starts with a header like -----BEGIN CERTIFICATE----- and ends with -----END CERTIFICATE-----. The data in between is Base64 encoded.
- Pros: Human-readable, easy to copy/paste into config files.
- Extension usage: While
.pemis the standard, many people use.crtor.cerfor public certificates and.keyfor private keys, even if they are all technically in PEM format.
DER (Distinguished Encoding Rules) — .der, .cer
This is the binary version of a PEM file. If you open it in a text editor, you'll see "garbage" characters.
- Pros: More compact than PEM.
- Where to find it: Common in Java environments, Windows certificate exports, and some hardware security modules (HSMs).
PKCS#12 (Personal Information Exchange) — .p12, .pfx
Unlike PEM and DER which usually hold a single certificate or key, PKCS#12 is an archive format. It can store a certificate, its private key, and the entire CA chain in one single, password-protected file.
- Where to find it: Standard for Windows (IIS), Java (KeyStore), and macOS Keychain.
- Note:
.pfxis the old Microsoft extension, while.p12is the newer cross-platform standard, but they are functionally identical.
2. Request and Metadata Extensions
CSR (Certificate Signing Request) — .csr
This is not a certificate itself. It's a request you generate on your server (containing your public key and organization info) to send to a Certificate Authority (like Let's Encrypt, DigiCert). They will sign it and send back a .crt or .pem file.
PKCS#7 / CMS — .p7b, .p7c
This format is primarily used to share "certificate chains." It might contain your certificate plus the Intermediate and Root CA certificates. It never contains a private key. You'll often see this when downloading certificates from a CA in "Windows" or "IIS" format.
3. PGP and GPG Extensions
If you are verifying software downloads (like the Linux kernel or a popular library), you'll see:
.asc: An ASCII-armored PGP file (text-based signature)..sig,.gpg: Binary PGP signatures or keys..pub: Often used to denote a PGP public key.
4. How to Open and Verify These Files
On Linux / macOS / Windows (with OpenSSL)
OpenSSL is the Swiss Army knife for these files. Here are some common commands:
To view a PEM file (public certificate):
openssl x509 -in certificate.crt -text -noout
To view a DER file (binary):
openssl x509 -in certificate.der -inform der -text -noout
To view a PKCS#12 (.p12 / .pfx) file:
openssl pkcs12 -info -in key-and-cert.p12
5. Converting Between Formats
Platforms often require specific formats. Here's how to convert them:
PEM to DER:
openssl x509 -in cert.pem -outform der -out cert.der
DER to PEM:
openssl x509 -in cert.der -inform der -outform pem -out cert.pem
PEM to PFX (.p12): (Requires combining the cert and private key)
openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile CA-chain.crt
Common Questions (FAQ)
Q: Can I just rename a .pem file to .crt?
A: In many cases, yes. Most web servers (like Nginx) look for the "BEGIN CERTIFICATE" header inside the file rather than the extension. However, if the platform expects a binary .der file and you provide a renamed .pem file, it will fail.
Q: What is the difference between .p12 and .pfx?
A: There is no functional difference. .pfx was Microsoft's proprietary extension, while .p12 is the industry standard (PKCS#12). They both serve as password-protected containers for certificates and private keys.
Q: Why can't I see my private key in a .p7b file?
A: Because the PKCS#7 standard (used by .p7b) is designed specifically for certificate distribution and does not support storing private keys. If you need to bundle a private key, you must use PKCS#12 (.p12).
Q: Is a .key file always a private key?
A: Usually, but not always. While .key is the conventional extension for private keys, some vendors use it for public keys or even license files. Always check the content (e.g., -----BEGIN PRIVATE KEY-----).
Related Tools on Tool3M
- Hash Generator: Verify the integrity of your downloaded certificate files using SHA-256.
- SSL/TLS Certificates Guide: Learn more about the underlying security protocols.