When working with SSL/TLS certificates, you’ll encounter various file extensions like .crt, .cer, .pem, .key, .pfx, and .csr. Understanding these formats is essential for proper certificate deployment and management. This guide explains each format and when to use them.

Understanding Encoding Standards

Before diving into file extensions, it’s important to understand the two primary encoding standards:

PEM (Privacy Enhanced Mail)

PEM is a Base64-encoded format that’s human-readable when opened in a text editor.

Characteristics:

• ASCII text format (Base64 encoded)
• Starts with -----BEGIN CERTIFICATE-----
• Ends with -----END CERTIFICATE-----
• Can contain multiple certificates
• Most common format on Linux/Unix

Example:

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKL0UG+mRkmvMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
...
-----END CERTIFICATE-----

DER (Distinguished Encoding Rules)

DER is a binary format that’s not human-readable.

Characteristics:

• Binary format
• Smaller file size than PEM
• Cannot be viewed in text editor
• More common on Windows
• Single certificate per file

Certificate File Extensions

.crt / .cert (Certificate)

Purpose: Contains the public certificate

Format: Usually PEM, sometimes DER

Content:

• Public key
• Domain name(s)
• Issuer information
• Validity period
• Digital signature

Common Usage:

• Apache/Nginx SSL configuration
• Certificate chain files
• Intermediate and root certificates

Example filename: example.com.crt, intermediate.crt

Linux/Unix example:

# View certificate details
openssl x509 -in certificate.crt -text -noout

# Check certificate dates
openssl x509 -in certificate.crt -noout -dates

.cer (Certificate)

Purpose: Same as .crt - contains public certificate

Format: Usually DER (binary), sometimes PEM

Content: Identical to .crt files

Common Usage:

• Windows environments
• Internet Information Services (IIS)
• Java applications

Difference from .crt:

• Mainly a naming convention
• .crt more common on Linux/Unix
• .cer more common on Windows
• Some CAs use .cer for DER format

Windows example:

# Import certificate in Windows
Import-Certificate -FilePath certificate.cer -CertStoreLocation Cert:\LocalMachine\Root

.pem (Privacy Enhanced Mail)

Purpose: Container format that can hold certificates, private keys, or both

Format: Always PEM (Base64)

Content: Can contain:

• Certificate only
• Private key only
• Certificate + private key
• Certificate chain
• Full chain with private key

Common Usage:

• Apache/Nginx (most common)
• Let’s Encrypt outputs
• Certificate chains
• Combined certificate + key files

Example variations:

# Certificate only
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

# Private key only
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

# Certificate + Private Key
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----

# Certificate chain (multiple certificates)
-----BEGIN CERTIFICATE-----
... (site certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (intermediate certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (root certificate)
-----END CERTIFICATE-----

Example filenames: cert.pem, privkey.pem, fullchain.pem

.key (Private Key)

Purpose: Contains the private key

Format: Usually PEM, sometimes DER

Content:

• Private key data
• May be encrypted with a passphrase
• MUST be kept secure

Common Usage:

• Web server SSL configuration
• Paired with .crt or .pem certificate
• Should have restricted permissions

Security:

# Set proper permissions (Linux/Unix)
chmod 600 private.key

# Never share private keys
# Never commit to version control
# Store securely with restricted access

Example content:

-----BEGIN PRIVATE KEY-----
MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKj
MzEfYyjiWA4R4/M2bS1+fWIcPm15A8SE0P/yLWIuLu5LiQnKLs2PZv+KZwX0tCx2
...
-----END PRIVATE KEY-----

.pfx / .p12 (PKCS#12)

Purpose: Archive format containing certificate, private key, and optionally the certificate chain

Format: Binary (PKCS#12)

Content:

• Private key
• Certificate
• Intermediate certificates (optional)
• Usually password-protected

Common Usage:

• Windows servers (IIS)
• Java applications
• Email encryption (S/MIME)
• Code signing
• Exporting/importing certificates with private keys

Differences:

• .pfx - Microsoft/Windows convention
• .p12 - More generic name (same format)
• Functionally identical

Creating .pfx:

# Convert PEM to PFX
openssl pkcs12 -export -out certificate.pfx \
  -inkey private.key \
  -in certificate.crt \
  -certfile ca-bundle.crt

# Extract from PFX to PEM
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

Windows IIS usage:

# Import PFX in IIS
Import-PfxCertificate -FilePath certificate.pfx -CertStoreLocation Cert:\LocalMachine\My -Password (ConvertTo-SecureString -String "password" -AsPlainText -Force)

.csr (Certificate Signing Request)

Purpose: Request file sent to Certificate Authority to obtain a certificate

Format: Usually PEM, sometimes DER

Content:

• Public key
• Organization information
• Domain name(s)
• Digital signature of the request

Common Usage:

• Submitting to CA for certificate issuance
• Renewing certificates
• Generated before obtaining a certificate

Workflow:

1. Generate private key
2. Create CSR from private key
3. Submit CSR to CA
4. CA validates and issues certificate
5. Install certificate with existing private key

Creating CSR:

# Generate private key and CSR together
openssl req -new -newkey rsa:2048 -nodes \
  -keyout private.key \
  -out certificate.csr

# Create CSR from existing private key
openssl req -new -key private.key -out certificate.csr

# View CSR content
openssl req -text -noout -verify -in certificate.csr

CSR contains:

• Common Name (CN): example.com
• Organization (O): Your Company
• Organizational Unit (OU): IT Department
• Locality (L): New York
• State (ST): New York
• Country (C): US
• Subject Alternative Names (SAN): www.example.com, api.example.com

Format Conversion

PEM to DER

openssl x509 -in cert.pem -outform der -out cert.der

DER to PEM

openssl x509 -in cert.der -inform der -out cert.pem

PEM to PFX

openssl pkcs12 -export -out certificate.pfx -inkey private.key -in certificate.crt -certfile ca-bundle.crt

PFX to PEM

# Extract certificate
openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem

# Extract private key
openssl pkcs12 -in certificate.pfx -nocerts -out private.key

# Extract all (certificate + key)
openssl pkcs12 -in certificate.pfx -out certificate-all.pem -nodes

CRT to PEM (if DER encoded)

openssl x509 -in certificate.crt -inform der -out certificate.pem

Common File Combinations by Platform

Apache

SSLCertificateFile      /path/to/certificate.crt
SSLCertificateKeyFile   /path/to/private.key
SSLCertificateChainFile /path/to/ca-bundle.crt

Nginx

ssl_certificate     /path/to/fullchain.pem;  # Certificate + Intermediate
ssl_certificate_key /path/to/private.key;

Windows IIS

• Single .pfx file containing certificate, private key, and chain

Java (Tomcat, JBoss)

• .jks (Java KeyStore) or .p12 format
• Can convert from PEM/PFX using keytool

HAProxy

• Single .pem file with certificate, private key, and chain concatenated

Best Practices

1. Always protect private keys

   • Never share or expose
   • Use file permissions (chmod 600 on Unix)
   • Encrypt when possible

2. Include certificate chain

   • Most servers need intermediate certificates
   • Use fullchain.pem or ca-bundle.crt

3. Verify formats before deployment

   openssl x509 -in file -text -noout  # For certificates
   openssl rsa -in file -check         # For private keys
   openssl req -in file -text -noout   # For CSRs
   

4. Keep backups

   • Store private keys securely
   • Keep CSRs for renewals
   • Archive old certificates

5. Use strong encryption

   • 2048-bit RSA minimum
   • Prefer 4096-bit or ECC
   • Remove weak ciphers

6. Naming conventions

   • Use descriptive names: example.com.crt
   • Include dates: example.com-2024.crt
   • Separate staging/production

Certificate Chain Order

When combining certificates, order matters:

1. Server Certificate (your domain)
2. Intermediate Certificate(s)
3. Root Certificate (optional, usually not included)

Example fullchain.pem:

-----BEGIN CERTIFICATE-----
... (example.com certificate)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
... (intermediate CA certificate)
-----END CERTIFICATE-----

Troubleshooting

Issue: “Certificate chain incomplete”

• Solution: Add intermediate certificates

Issue: “Private key doesn’t match certificate”

• Solution: Verify you’re using the correct key that generated the CSR

Issue: “Unable to load certificate”

• Solution: Check file format (PEM vs DER) and encoding

Issue: “Certificate expired”

• Solution: Renew certificate (need original private key or generate new CSR)

Conclusion

Understanding SSL/TLS certificate file formats is essential for successful certificate deployment. Remember:

• .crt/.cer = Certificates (public)
• .key = Private key (keep secret!)
• .pem = Container (can hold anything)
• .pfx/.p12 = Archive (certificate + key)
• .csr = Request (for obtaining certificates)

Use CrtMgr to monitor your certificates, track expiration dates, and download certificates in any format you need!