Security File Formats — WhatThisFile

About security files

Security files are the ones that keep the internet's locks working. Certificates prove you are who you say you are. Keys encrypt and decrypt. Keystores hold collections of both. Most people never interact with these files directly — until they're setting up HTTPS, configuring SSH, or debugging why their API suddenly returns 'certificate expired.' Handle private keys like passwords: if someone else has them, the security is gone.

The ecosystem is built on asymmetric cryptography: a public key (safe to share) and a private key (never share). Certificates bind a public key to an identity and are signed by a Certificate Authority that browsers trust. PEM is the most common encoding — Base64 text between header markers. DER is the binary equivalent. P12/PFX bundles everything with a password.

The naming conventions are a mess. .pem, .crt, .cer, and .der can all contain the same certificate data in different encodings with different extension conventions. OpenSSL is the universal tool for inspecting, converting, and managing all of these formats. Learn `openssl x509`, `openssl rsa`, and `openssl pkcs12` and you can handle anything the certificate world throws at you.

All security formats

.asc ASC is a GPG encrypted, signed, or public key file in ASCII-... .cer CER is a certificate file commonly used on Windows — may be ... .crt CRT is an X.509 digital certificate file, usually PEM-encode... .csr CSR is a file sent to a Certificate Authority to request an ... .der DER is the binary encoding format for X.509 certificates — c... .gpg GPG files are encrypted or digitally signed using GNU Privac... .jks JKS is Java's certificate and key storage format — a passwor... .p12 P12 bundles a certificate, its private key, and the certific... .p7b P7B is a certificate chain file containing one or more certi... .pem PEM is the most common format for SSL/TLS certificates and k... .pfx PFX is Microsoft's name for the PKCS#12 format — a password-... .pub PUB files contain an SSH or GPG public key — safe to share, ... .smime Digitally signed or encrypted email using S/MIME certificate...

Safety notes

.asc Use caution

Same caution as .gpg — verify the source. Public key .asc files are safe to share.

.gpg Use caution

GPG files may contain any type of encrypted content. The encryption itself is safe, but verify the source before decrypting unknown files.

.jks Use caution

Contains certificates and potentially private keys. Password-protected. Handle with the same care as P12/PFX files.

.p12 Use caution

Contains private keys. Password-protected but handle with extreme care — anyone with the file and password has your certificate's private key.

.pem Use caution

PEM files containing private keys should be kept secret. Certificate-only PEM files are safe to share.

.pfx Use caution

Contains private keys. Password-protected but handle with extreme care.

FAQ

What's the difference between a certificate and a key?

A certificate contains a public key plus identity information (domain name, organisation), signed by a Certificate Authority. A private key is the secret counterpart that proves ownership. Certificates are public; private keys must be kept secret.

What format should I use for my SSL certificate?

PEM (.pem or .crt) for Apache, Nginx, and most Linux servers. PFX/P12 (.pfx or .p12) for IIS, Azure, and Windows servers. JKS for Java application servers. Most certificate authorities provide PEM format by default.

How do I check if my certificate is valid?

`openssl x509 -in cert.pem -text -noout` shows the certificate details including validity dates, issuer, and subject. For a remote server: `openssl s_client -connect hostname:443` retrieves and displays the server's certificate.

Related categories