Difference between pem, crt, key files

Question

I'm having problems understanding the difference between files produced by openssl and how to detect them.

For example I'm trying to generate Self-signed cert with private key and generate JKS file from p12 format. I'm googling like a madman but I still don't know how to generate it correctly to be able to use following commands.

openssl pkcs12 -export -in user.pem -inkey user.key -certfile user.pem -out testkeystore.p12
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS

Source: https://www.ibm.com/support/pages/how-generate-jks-keystore-existing-private-key

I found a couple of different commands to generate Self-signed cert and private key but I don't know how to map resulting files to the commands above and whats worse I don't understand what those commands do. I mean I see what files they generate and understand that certificate and private key used to sign it ( or maybe the other way around :| ) but what is the difference between those commands and is cert.pem === certificate.crt - Those file extensions are driving me crazy.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

This is yet another situation where I'm having similar issues with the openssl command. At this point I'm even ready to read some RFC ( I hope it won't come to this :) )

Thanks in advance for help

Answer 1

Those file names represent different parts of the key generation and verification process. Please note that the names are just convention, you could just as easily call the files pepperoni.pizza and the content will be the same, so do be conscious of how you use the filenames.

A brief primer on PKI - Keys come in two halves, a public key and a private key. The public key can be distributed publicly and widely, and you can use it to verify, but not replicate, information generated using the private key. The private key must be kept secret.

.key files are generally the private key, used by the server to encrypt and package data for verification by clients.

.pem files are generally the public key, used by the client to verify and decrypt data sent by servers.

.p12 files have both halves of the key embedded, so that administrators can easily manage halves of keys.

.cert or .crt files are certificate signing requests, used by a trusted third party to verify the ownership of a keypair without having direct access to the private key (this is what allows end users, who have no direct knowledge of your website, confident that the certificate is valid). In the self-signed scenario you will use the certificate signing request with your own private key to verify your private key (thus self-signed). Depending on your spefic application, this might not be needed. (needed for web servers or RPC servers, but not much else).

A JKS keystore is a native file format for Java to store and manage some or all of the components above, and keep a database of related capabilities that are allowed or rejected for each key.

The commands you list look fine to me, and I don't see a question beyond asking what the different files are for. If you need more information, please enrich your question.