Difference between pem, crt, key files

Asked 31/7, 2020 at 16:2 Answered 8/1, 2023 at 0:27

Solved ssl openssl certificate pkcs#12 jks

134

I'm having problems understanding the difference between files produced by openssl and how to detect them.

For example I'm trying to generate Self-signed cert with private key and generate JKS file from p12 format. I'm googling like a madman but I still don't know how to generate it correctly to be able to use following commands.

openssl pkcs12 -export -in user.pem -inkey user.key -certfile user.pem -out testkeystore.p12
keytool -importkeystore -srckeystore testkeystore.p12 -srcstoretype pkcs12 -destkeystore wso2carbon.jks -deststoretype JKS

Source: https://www.ibm.com/support/pages/how-generate-jks-keystore-existing-private-key

I found a couple of different commands to generate Self-signed cert and private key but I don't know how to map resulting files to the commands above and whats worse I don't understand what those commands do. I mean I see what files they generate and understand that certificate and private key used to sign it ( or maybe the other way around :| ) but what is the difference between those commands and is cert.pem === certificate.crt - Those file extensions are driving me crazy.

openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -keyout privateKey.key -out certificate.crt
openssl req -newkey rsa:2048 -new -nodes -x509 -days 3650 -keyout key.pem -out cert.pem

This is yet another situation where I'm having similar issues with the openssl command. At this point I'm even ready to read some RFC ( I hope it won't come to this :) )

Vibrio answered 31/7, 2020 at 16:2 Comment(1)

Informational note: originally Java by default required JKS-format keystore, and thus there are many websites manuals and other documentation giving advice like the IBM link above, as well as many older As on this and other Stacks. Java versions since 8u60 in 2015 can use PKCS12 files as well as JKS, and the conversion step is no longer necessary. – Heddie 24/12, 2022 at 20:51

189

Those file names represent different parts of the key generation and verification process. Please note that the names are just convention, you could just as easily call the files pepperoni.pizza and the content will be the same, so do be conscious of how you use the filenames.

A brief primer on PKI - Keys come in two halves, a public key and a private key. The public key can be distributed publicly and widely, and you can use it to verify, but not replicate, information generated using the private key. The private key must be kept secret.

.key files are generally the private key, used by the server to encrypt and package data for verification by clients.

.pem files are generally the public key, used by the client to verify and decrypt data sent by servers. PEM files could also be encoded private keys, so check the content if you're not sure.

.p12 files have both halves of the key embedded, so that administrators can easily manage halves of keys.

.cert or .crt files are the signed certificates -- basically the "magic" that allows certain sites to be marked as trustworthy by a third party.

.csr is a certificate signing request, a challenge used by a trusted third party to verify the ownership of a keypair without having direct access to the private key (this is what allows end users, who have no direct knowledge of your website, confident that the certificate is valid). In the self-signed scenario you will use the certificate signing request with your own private key to verify your private key (thus self-signed). Depending on your specific application, this might not be needed. (needed for web servers or RPC servers, but not much else).

A JKS keystore is a native file format for Java to store and manage some or all of the components above, and keep a database of related capabilities that are allowed or rejected for each key.

The commands you list look fine to me, and I don't see a question beyond asking what the different files are for. If you need more information, please enrich your question.

Ezequieleziechiele answered 31/7, 2020 at 16:15 Comment(7)

Thanks for the thorough reply. After running openssl req -x509 ... command I got 2 files that contents begin with -----BEGIN one has PRIVATE KEY and other CERTIFICATE next. On stackoverflow.com/questions/991758/… I found that -----BEGIN means that I'm dealing with PEM format. Does this apply here to both of those files? – Vibrio 31/7, 2020 at 17:3

Yes, PEM format, but by convention, the one that says "PRIVATE KEY" is usually named .key. – Ezequieleziechiele 1/8, 2020 at 3:3

According to this answer, .crt keeps a signed certificate, whereas .csr is the certificate signing request. Also, .pem just indicates that the content (can be a key, certificate, ...) is Base64 encoded. – Dougall 29/4, 2021 at 9:50

.key files are generally the private key, used by the server to encrypt Isn't encryption normallly done by a public key and decryption done by a private key? You're saying the exact opposite here. – Ruching 24/2, 2022 at 4:23

@Ruching PKI is weird in this way. Server encrypts to the public key using the private key for verification. Client uses the public key to encrypt data to the server for privacy. – Ezequieleziechiele 6/3, 2022 at 17:36

The typo that a .crt or .cert contains a CSR, is detracting from this otherwise good answer a lot. That thing is called a "certificate", not a CSR. – Throttle 24/5, 2022 at 8:45

upvoted! stupid question, why doesnt certstrap generate pem files? github.com/square/certstrap – Cryptomeria 26/8, 2022 at 3:55

.key is the private key. This is accessible the key owner and no one else.

.csr is the certificate request. This is a request for a certificate authority to sign the key. (The key itself is not included.)

.crt is the certificate produced by the certificate authority that verifies the authenticity of the key. (The key itself is not included.) This is given to other parties, e.g. HTTPS client.

.pem is a text-based container using base-64 encoding. It could be any of the above files.

-----BEGIN EXAMPLE-----
...
-----END EXAMPLE-----

.p12 is a PKCS12 file, which is a container format usually used to combine the private key and certificate.

There isn't only one extension. For example you may see certificates with either the .crt or a .pem extension.

Ailsa answered 7/2, 2022 at 20:17 Comment(0)

Just to add more info: .der, another (binary) encoding (either public or private key, or csr)

Dyanna answered 8/1, 2023 at 0:27 Comment(0)

Recommended topics

Hot tags