There are two main methods for encoding certificate data.
- DER = Binary encoding for certificate data
- PEM = The base64 encoding of the DER encoded certificate, with a header and footer lines added.
DER: (Distinguished Encoding Rules) is a subset of BER encoding providing for exactly one way to encode an ASN.1 value. DER is intended for situations when a unique encoding is needed, such as in cryptography, and ensures that a data structure that needs to be digitally signed produces a unique serialized representation.
PEM: (Privacy-enhanced Electronic Mail) Simply a US-ASCII by base64 encoded DER certificate, certificate request, or PKCS#7, enclosed between typical PEM delimiters. ie “—–BEGIN CERTIFICATE—–” and “—–END CERTIFICATE—–“. PEM is an abbreviation for Privacy Enhanced Mail (RFC 1421 – RFC 1424), an early standard for securing electronic mail (IRTF, IETF). PEM never has been widely adopted as Internet Mail Standard, but has become a staple standard in x509 pki (also called pkix)
Certificate naming extensions
If you want to learn more about certificate extensions please see my other blog post here: der vs crt vs cer vs pem certificates