Description of the different certificate formats

X.509 certificates are always encoded in the Distinguished Encoding Rules (DER) format. This is a binary, machine-readable format.

DER-encoded certificates can, however, also be converted into a text-based format using the BASE64 process so that they can be transmitted in an e-mail body, for example. BASE64 encloses the DER-encoded format, i.e. the certificate is and remains DER-encoded in any case.

In practice, files with different file extensions are used for certificates. The most common ones are briefly described below.

File extensionContent
.theBinary (DER encoded) certificate.
.pemCertificate in text format (BASE64 encoded DER).
.cer, .crtCan be present as DER or as BASE64 encoded DER.
.p7bPKCS#7 container, which can contain multiple certificates that can be both DER or BASE64-encoded DER. Thus, for example, an entire certificate chain can be transmitted within only one file (for example, in the GetCACert operation in SCEP protocol).

This leaves three options for packaging a certificate (DER, BASE64 or PKCS#7). Exactly these three options are also offered by the certificate export dialog.


A DER-encoded certificate is opened with a text editor
A BASE64 wrapped DER encoded certificate is opened with a text editor
The Windows representation of a PKCS#7 certificate chain

Related links:

External sources

One thought on “Beschreibung der verschiedenen Zertifikat-Formate”

Comments are closed.