Certificate formats used with Secure Proxy
The following certificate formats are used with Secure Proxy.
| Certificate Format | Description |
|---|---|
| PEM | The PEM format is the most common format that Certificate Authorities issue certificates in. PEM certificates usually have extentions such as .pem, .crt, .cer, and .key. They are Base64 encoded ASCII files and contain "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" statements. Server certificates, intermediate certificates, and private keys can all be put into the PEM format. The PKCS12 format is preferred for exchanging certificates that has private key(s). |
| DER | The DER format is simply a binary form of a certificate instead of the ASCII PEM format. It sometimes has a file extension of .der but it often has a file extension of .cer so the only way to tell the difference between a DER .cer file and a PEM .cer file is to open it in a text editor and look for the BEGIN/END statements. All types of certificates and private keys can be encoded in DER format. DER is typically used for transporting public keys, PKCS12 should be preferred. |
| PKCS#8 | This standard describes syntax for private-key information, including a private key for some public-key algorithm and a set of attributes. The standard also describes syntax for encrypted private keys. The intention of including a set of attributes is to provide a simple way for a user to establish trust in information such as a distinguished name or a top-level certification authority's public key. PKCS8 embeds private key type information in EncryptedPrivateKeyInfo thereby making it possible to support different private key types like RSA, DSA, and ECSDA unlike the traditional OpenSSL/SSLEAY which supports only RSAPrivateKey. PKCS8 should be preferred over Traditional OpenSSL/SSLEAY private key format. |
|
Traditional OpenSSL/SSLeay PKCS#5 |
The "traditional" SSLeay format encrypted private key contains algorithm information at PEM header level, and thus can NOT be represented as DER format. Traditional uses PDKF for key derivation and then uses PKCS-5 specification for password-based encryption that uses DES or other supported encryption algorithms to protect data. Supports RSAPrivateKey type only. So, technically, Traditional OpenSSL/SSLeay format is nothing but PKCS#5 data in PEM format. PKCS8 should be preferred since PKCS8 offers better protection and can support diverse private key types like RSA, DSA, ECDSA. As a general rule, PKCS12 is the best way to transport and exchange private keys because of the stronger encryption that it uses to encrypt the private key. |
| PKCS#10 | This standard describes a syntax for certification requests. A certification request consists of a distinguished name, a public key, and optionally a set of attributes, collectively signed by the entity requesting certification. Certification requests are sent to a certification authority (CA), who transforms the request to an X.509 public-key certificate, or a PKCS #6 extended certificate. |
| PKCS#12 | In cryptography, PKCS #12 defines an archive file format for storing many cryptography objects as a single file. It is commonly used to bundle a private key with its X.509 certificate or to bundle all the members of a chain of trust. A PKCS #12 file may be encrypted and signed. The internal storage containers, called "SafeBags", may also be encrypted and signed. A few SafeBags are predefined to store certificates, private keys and CRLs. Another SafeBag is provided to store any other data at individual implementer's choice. PKCS #12 is one of the family of standards called public-Key Cryptography Standards (PKCS) published by RSA Laboratories. The filename extension for PKCS #12 files is ".p12" or ".pfx". PKCS#2 format is the preferred method for transporting private key and its public certificate chains. The underlying password-based encryption methods is PKCS #5 v2.1 As a general rule, PKCS12 is the best way to transport and exchange private keys because of the stronger encryption that it uses to encrypt the private key. Since PKCS#12 format carries binary data, there is no sample suitable for this document. |