Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

What are the differences between .pem, .cer and .der?

Tags:

cryptography

rsa

encryption

People also ask

What is the difference between PEM and Der?

DER (Distinguished Encoding Rules) is a binary encoding for X. 509 certificates and private keys. Unlike PEM, DER-encoded files do not contain plain text statements such as -----BEGIN CERTIFICATE----- . DER files are most commonly seen in Java contexts.

Is .CER and .PEM the same?

cer just stands for certificate. It is normally DER encoded data, but Windows may also accept PEM encoded data. You need to take a look at the content (e.g. using the file utility on posix systems) to see what is within the file to be 100% sure.

Is CER and DER the same?

The primary differences are: Canonical Encoding Rules (CER) files are stored as ASCII files. Distinguished Encoding Rules (DER) files are stored as binary files.

What is PEM or DER format?

PEM or Privacy Enhanced Mail is a Base64 encoded DER certificate. PEM certificates are frequently used for web servers as they can easily be translated into readable data using a simple text editor. Generally when a PEM encoded file is opened in a text editor, it contains very distinct headers and footers.

.pem, .cer and .der are all file extensions for files that may contain a X.509 v3 certificate.

The .der extension

DER is the method of encoding the data that makes up the certificate. DER itself could represent any kind of data, but usually it describes an encoded certificate or a CMS container.

The structure of a certificate is described using the ASN.1 data representation language. BER and DER are binary encoding methods for data described by ASN.1.

The .pem extension

PEM is a method of encoding binary data as a string (ASCII armor). It contains a header and a footer line (specifying the type of data that is encoded and showing begin/end if the data is chained together) and the data in the middle is the base 64 data. In the case that it encodes a certificate it would simply contain the base 64 encoding of the DER certificate. PEM stands for Privacy Enhanced Mail; mail cannot contain un-encoded binary values such as DER directly.

PEM may also encode / protect other kinds of data that is related to certificates such as public / private keys, certificate requests, etc. If the contents are a common X509v3 certificate then the PEM is encoded as:

-----BEGIN CERTIFICATE-----
... base 64 encoding of the DER encoded certificate
    with line endings and padding with equals signs ...
-----END CERTIFICATE-----

Note that a PEM file may also contain a complete certificate chain, where the chain starts with the leaf / end certificate of the service, followed by the certificate that signed it, usually up to but not including the trusted root certificate. So if you're missing certificates you may want to take a look behind the first one.

The .cer or .crt extension

.cer just stands for certificate. It is normally DER encoded data, but Windows may also accept PEM encoded data. You need to take a look at the content (e.g. using the file utility on posix systems) to see what is within the file to be 100% sure.

Other OpenSSL formats

Take a look at this answer for a more extensive list of what is supported by OpenSSL.

To use the public key contained in the certificate (and signed by the signature in the certificate) you should use any library that parses X.509 certificates and performs RSA encryption. You could use a tool that detects/handles PEM encoding or you could first convert the certificate to DER by stripping off the PEM encoding.

The OpenSSL command line contains lots of options to convert between PEM and DER, print out high level certificate information or parse the ASN.1 to get a low level view of what is in there.

Details

Like most ASN.1 structures, DER encoded certificate always starts off with a byte 30 which is the tag encoding of an ASN.1 SEQUENCE. If you're seeing a lot of repetition in the file then this is OK; it is just the structure that is strictly defined.

Likewise, the base 64 within a PEM encoded file always starts off with the letter M as an ASN.1 SEQUENCE starts off with a byte 30, so the first 6 bits are 001100, which translates to the number 12, which is the index of the letter M, the thirteenth letter of the alphabet.

Related questions

AES Encryption - Key versus IV
Obfuscating an ID
Can't check signature: public key not found
How to decrypt an encrypted Apple iTunes iPhone backup?
What are best practices for using AES encryption in Android?
How to Export Private / Secret ASC Key to Decrypt GPG Files
Remove 'b' character do in front of a string literal in Python 3 [duplicate]
Protecting Java Source Code From Being Accessed [closed]
What's the difference between id_rsa.pub and id_dsa.pub?
What's the difference between SHA and AES encryption? [closed]
Best practices around generating OAuth tokens?
The necessity of hiding the salt for a hash
SVN encrypted password store
Image encryption/decryption using AES256 symmetric block ciphers [closed]
AES vs Blowfish for file encryption
mcrypt is deprecated, what is the alternative?
I need to securely store a username and password in Python, what are my options? [closed]
What is the meaning of ToString("X2")? [duplicate]
What is the difference between DSA and RSA?
Javascript AES encryption [closed]

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!