Key & Certificate File Formats

Cryptographic keys and certificates are stored in various formats, each serving different purposes and environments.

Key File Formats

PEM (Privacy-Enhanced Mail)

PEM (Privacy-Enhanced Mail) format is a Base64 encoded ASCII format that represents binary data (such as cryptographic keys and certificates) in a text-based format. It includes header and footer lines that delineate the beginning and end of the encoded data. PEM format is widely used due to its compatibility with many systems and ease of human readability.

Extension: .pem, .key, .crt, .cer
Description: Base64 encoded DER format with header and footer lines.
Headers:
- Private Key: -----BEGIN PRIVATE KEY-----
- Public Key: -----BEGIN PUBLIC KEY-----
- RSA Private Key: -----BEGIN RSA PRIVATE KEY-----
- EC Private Key: -----BEGIN EC PRIVATE KEY-----
Usage: Widely used for storing private keys, public keys, and certificates in text format. Compatible with many systems and applications.

.pem: Generic extension used for any PEM-encoded file, whether it's a private key, public key, or certificate.

.key: Often used to denote PEM-encoded private keys. For example, private.key could contain a PEM-encoded RSA private key.

.crt or .cer: Commonly used for PEM-encoded certificates. For instance, server.crt could contain a PEM-encoded SSL/TLS server certificate.

A .key file, when it contains a symmetric key like an AES key, is typically in binary format. This binary format is not human-readable and cannot be meaningfully viewed or edited with a text editor. However, for certain types of keys (such as RSA private keys or certificates), a .key file might be in a PEM format, which is Base64-encoded and can be viewed with a text editor.

DER (Distinguished Encoding Rules)

Extension: .der, .cer
Description: Binary format for keys and certificates.
Headers: None (binary format).
Usage: Often used in systems requiring binary data, such as certain hardware devices.

PKCS#12 (Public Key Cryptography Standards #12)

Extension: .p12, .pfx
Description: Binary format that can include private keys, public keys, and certificates.
Headers: None (binary format).
Usage: Commonly used for storing private keys with their accompanying public key certificates in a single file, often in Windows environments.

PKCS#8

Extension: .pem, .key
Description: Standard syntax for storing private key information, either encrypted or unencrypted.
Headers:
- Unencrypted: -----BEGIN PRIVATE KEY-----
- Encrypted: -----BEGIN ENCRYPTED PRIVATE KEY-----
Usage: Preferred format for private keys, supporting both encrypted and unencrypted storage.

OpenSSH

Extension: .key
Description: Format used by OpenSSH for storing public and private keys.
Headers:
- Private Key: -----BEGIN OPENSSH PRIVATE KEY-----
- Public Key: ssh-rsa ... (no header/footer for public key)
Usage: Used specifically for SSH key-based authentication.

Certificate File Formats and Extensions

PEM

Extension: .pem, .crt, .cer
Description: Base64 encoded DER certificate with header and footer lines.
Headers:
- Certificate: -----BEGIN CERTIFICATE-----
Usage: Commonly used for web servers and can contain multiple certificates (certificate chain).

DER

Extension: .der, .cer
Description: Binary format for certificates.
Headers: None (binary format).
Usage: Often used in applications requiring binary format, such as some hardware devices.

PKCS#7

Extension: .p7b, .p7c
Description: Format used for storing certificates and certificate chains.
Headers:
- -----BEGIN PKCS7-----
Usage: Often used for certificate chains and S/MIME email certificates.

PKCS#12

Extension: .p12, .pfx
Description: Binary format that can include private keys, certificates, and certificate chains.
Headers: None (binary format).
Usage: Commonly used to store both a private key and a certificate chain in a single file, often in Windows environments.

Real-World Usage of Key and Certificate Formats

Cryptographic keys and certificates are critical in securing communications, authenticating users, and ensuring data integrity across various applications and environments.

Web Servers (SSL/TLS)

Usage: Secure web traffic using HTTPS.

Formats: PEM for private keys and certificates; PKCS#12 for storing both keys and certificates.
Description: SSL/TLS certificates encrypt data between the client and server, preventing eavesdropping and tampering.

Example:

Apache: Uses PEM format for SSL/TLS certificates.

SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/private.key
SSLCertificateChainFile /path/to/ca_bundle.crt

Nginx: Also uses PEM format.

server {
    listen 443 ssl;
    ssl_certificate /path/to/certificate.crt;
    ssl_certificate_key /path/to/private.key;
    ssl_trusted_certificate /path/to/ca_bundle.crt;
}

IIS: Uses PKCS#12 format.

Import-PfxCertificate -FilePath "C:\path\to\certificate.pfx" -CertStoreLocation Cert:\LocalMachine\My

The keys and certificates are typically stored in PEM format, even though the file extensions might be .key for private keys and .crt for certificates.

Email Security (S/MIME)

Usage: Secure email communications by encrypting and digitally signing emails.

Formats: PKCS#7 for email certificates; PEM or DER for individual certificates.
Description: S/MIME certificates encrypt email content and attachments, ensuring only the intended recipient can read the email. Digital signatures verify the sender's identity and ensure the email's integrity.
Example:
- Configure email clients (e.g., Outlook, Thunderbird) to use S/MIME certificates for signing and encrypting emails.
- Import Certificate:
  - Outlook: Go to File > Options > Trust Center > Trust Center Settings > Email Security > Import/Export.
  - Thunderbird: Go to Account Settings > Security > View Certificates > Import.

SSH Authentication

Usage: Securely authenticate users and automate server access without passwords.

Formats: OpenSSH format for public and private keys.
Description: SSH keys provide a more secure and convenient way to log in to remote servers. Public keys are added to the server's authorized_keys file, while private keys remain on the client.

Example:

Generate SSH Keys:

ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

Copy Public Key to Server:
```
ssh-copy-id user@server
```
Use SSH Key for Login:
```
ssh -i ~/.ssh/id_rsa user@server
```

Mobile Devices

Usage: Install certificates to secure communications and authenticate users.

Formats: DER for installing certificates on mobile devices.
Description: Mobile devices use certificates for secure email, VPN connections, and Wi-Fi authentication.
Example:
- iOS: Use DER or PEM certificates.
  - Email the certificate to yourself and open the email on your iOS device.
  - Tap on the certificate attachment and follow the installation prompts.
- Android: Use DER format.
  - Save the certificate to your device.
  - Go to Settings > Security > Install from storage.

Enterprise Environments

Usage: Manage certificates and private keys for various applications.

Formats: PKCS#12 for storing private keys and certificates; PEM for public distribution.
Description: Enterprises use certificates for securing internal and external communications, authenticating users, and ensuring the integrity of transactions.

Example:

Internal Certificate Authority (CA): Issue and manage certificates within the organization.

Generate Root CA Certificate:

openssl genpkey -algorithm RSA -out rootCA.key -pkeyopt rsa_keygen_bits:4096
openssl req -x509 -new -key rootCA.key -days 3650 -out rootCA.crt -subj "/C=US/ST=State/L=City/O=Organization/OU=Org Unit/CN=Root CA"

Issue Certificates:

openssl genpkey -algorithm RSA -out server.key -pkeyopt rsa_keygen_bits:2048
openssl req -new -key server.key -out server.csr -subj "/C=US/ST=State/L=City/O=Organization/OU=Org Unit/CN=server.example.com"
openssl x509 -req -in server.csr -CA rootCA.crt -CAkey rootCA.key -CAcreateserial -out server.crt -days 365

VPN Connections

Usage: Secure remote access to networks.

Formats: PKCS#12 for storing private keys and certificates; PEM for public certificates.
Description: VPNs use certificates to authenticate clients and servers, ensuring secure communication channels.
Example:
- OpenVPN: Uses PEM format for keys and certificates.
  - Server Configuration:
    ca ca.crt cert server.crt key server.key
  - Client Configuration:
    eca ca.crt cert client.crt key client.key

Best Practices:

Consistency: Stick to standard conventions for file extensions (*.key for private keys, *.crt or *.cer for certificates) to maintain clarity and compatibility.
Verification: Always verify the contents of files to ensure they are correctly encoded in PEM format, regardless of the extension.
Documentation: Document file types and their contents clearly to facilitate maintenance and troubleshooting.

PreviousUse Cases NextKey Distribution

Last updated 7 months ago

Was this helpful?