Typical SSL key and certificate formats

Keystore file formats

JKS format (.jks or .ks file)

Java KeyStore (JKS), Java keystore implemented by the SUN provider. A JKS file is a binary file. The keystore and the private keys are protected by using different passwords.

JCEKS format (.jce file) JCE Keystore (JCEKS), Java keystore implemented by the SUN JCE provider. It provides higher security than JKS. Versions later than JDK1.4 can be used directly and use Triple DES to protect private keys. The processes that JCEKS uses to storage and load different entries are similar to those used by JKS.

PKCS12 format (.p12 or .pfx file)

PKCS #12 is a public key cryptography standard, a binary format for storing the relevant private keys, public keys, and certificates in a single binary file. A PKCS #12 file is also called a PFX file. On Windows, you can directly import certificates and private keys from a PKCS #12 file. The keystore and private keys are protected by using the same passwords.

BKS format (.bks file)

BouncyCastle Keystore (BKS), keystore implemented by the BC provider. It uses Triple DES to protect keystore private keys. It can help prevent incidental modifications of the certificate library. Even a one-bit change of a key entry in the keystore is detected as an error. A BKS can interact with a JKS.

BUER format (.ubr file)

BouncyCastle UBER Keystore (BUDER) file, a securer keystore implemented by the BC provider. When the password is provided by using a command line command, a BUDER can interact only with keytool. The entire keystore can be encrypted by using PBE, SHA1, or Twofish and therefore is protected against mistaken modification, inspection, and check. Like cacerts, SunJDK allows you to load a keystore without providing a password. UBER does not.

Certificate file formats

DER format (.cer, .crt, or .rsa file)

DER (ASN .1 DER): Stores only certificate information, in binary. It does not contain the private key.

A .der file contains DER-coded certificate information, in binary. The certificate file can also use the .cer or .crt extension.

A .crt file contains DER-coded or PEM-coded certificate information. The .cer extension and .crt extension are almost synonyms. This situation is popular on a Unix or Linux system.

A .cer file is used on the Microsoft platform. You can convert a .crt file to a .cer file that uses the same coding system, DER or PEM. A .cer file can be identified by IE as a command to call Microsoft CryptoAPI (specifically, rudll32.exe, cryptext.dll, and CyrptExtOpenCER). Then, a dialog box pops up for you to import and/or view the certificate content.

PKCS7 format (.p7b or .p7r file)

PKCS #7 is also called the cryptographic message syntax standard. It is generated by the RSA cryptosystem in public key cryptography for exchanging digital certificates.

A .p7b file shows a certificate chain in a tree structure. It does not contain private keys. A .p7r file contains the response to a certificate request. It can be used only for import.

CMS format (.p7c, .p7m, or p7s file)

CMS(Cryptographic Message Syntax):

A .p7c file stores only certificates.

A .p7m file stores the signature with enveloped data.

A .p7s file is a signature file with a timestamp.

PEM format (.pem file)

The Privacy Enhanced Mail (PEM) encoding format is defined in RFC 1421. However, PEM is also widely used in key management. The message content is base 64 encoded in binary.

PKCS10 format (.p10 or .csr file)

A .csr file contains a certificate signing request, which is also called an authentication request. It is sent to a CA for authentication. It uses two formats. One format is defined by PKCS#10 and is popular. The other is defined by SPKAC and is used less (used in Netscape Web browser). A .p10 file contains a certificate request. It is similar to a .csr file.

SPC format (.pvk or .spc file)

Software Publishing Certificate (SPC) is a Microsoft proprietary certificate file format. It is typically used for code signing. A .pvk file stores the private key. A .spc file stores the public key.