241

What is the difference between a cer, pvk, and pfx file? Also, which files do I keep and which am I expected to give to my counter-parties?

Jason
  • 8,400
  • 10
  • 56
  • 69
Jonathan Allen
  • 68,373
  • 70
  • 259
  • 447
  • Also [\[1\]](http://security.stackexchange.com/q/29425/2379), [\[2\]](http://stackoverflow.com/q/2292495/632951), [\[3\]](http://stackoverflow.com/q/22788384/632951) – Pacerier Nov 19 '16 at 22:10

4 Answers4

164

Windows uses .cer extension for an X.509 certificate. These can be in "binary" (ASN.1 DER), or it can be encoded with Base-64 and have a header and footer applied (PEM); Windows will recognize either. To verify the integrity of a certificate, you have to check its signature using the issuer's public key... which is, in turn, another certificate.

Windows uses .pfx for a PKCS #12 file. This file can contain a variety of cryptographic information, including certificates, certificate chains, root authority certificates, and private keys. Its contents can be cryptographically protected (with passwords) to keep private keys private and preserve the integrity of root certificates.

Windows uses .pvk for a private key file. I'm not sure what standard (if any) Windows follows for these. Hopefully they are PKCS #8 encoded keys. Emmanuel Bourg reports that these are a proprietary format. Some documentation is available.

You should never disclose your private key. These are contained in .pfx and .pvk files.

Generally, you only exchange your certificate (.cer) and the certificates of any intermediate issuers (i.e., the certificates of all of your CAs, except the root CA) with other parties.

Peter
  • 37,042
  • 39
  • 142
  • 198
erickson
  • 265,237
  • 58
  • 395
  • 493
73

Here are my personal, super-condensed notes, as far as this subject pertains to me currently, for anyone who's interested:

  • Both PKCS12 and PEM can store entire cert chains: public keys, private keys, and root (CA) certs.
  • .pfx == .p12 == "PKCS12"
    • fully encrypted
  • .pem == .cer == .cert == "PEM" (or maybe not... could be binary... see comments...)
    • base-64 (string) encoded X509 cert (binary) with a header and footer
      • base-64 is basically just a string of "A-Za-z0-9+/" used to represent 0-63, 6 bits of binary at a time, in sequence, sometimes with 1 or 2 "=" characters at the very end when there are leftovers ("=" being "filler/junk/ignore/throw away" characters)
      • the header and footer is something like "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----" or "-----BEGIN ENCRYPTED PRIVATE KEY-----" and "-----END ENCRYPTED PRIVATE KEY-----"
    • Windows recognizes .cer and .cert as cert files
  • .jks == "Java Key Store"
    • just a Java-specific file format which the API uses
      • .p12 and .pfx files can also be used with the JKS API
  • "Trust Stores" contain public, trusted, root (CA) certs, whereas "Identity/Key Stores" contain private, identity certs; file-wise, however, they are the same.
Andrew
  • 5,839
  • 1
  • 51
  • 72
  • 2
    So where is .pvk defined? – zwcloud Dec 20 '19 at 05:14
  • @zwcloud I gave what I knew at the time. The other answers give that. – Andrew Dec 20 '19 at 18:50
  • `.cer` files are often binary and not base64 coded at all, as noted in the accepted answer. – oligofren Oct 20 '20 at 20:56
  • @oligofren Seems legit, though those don't seem to be PEM's, and at least some of those which are binary are `.der`'s. https://www.ssl.com/guide/pem-der-crt-and-cer-x-509-encodings-and-conversions – Andrew Oct 21 '20 at 21:36
  • Please note: For Java 9+, the default Java Key Store format is now PKCS#12, which means OpenSSL plays nice with it. – kevinarpe Jan 06 '23 at 12:09
70

In Windows platform, these file types are used for certificate information. Normally used for SSL certificate and Public Key Infrastructure (X.509).

  • CER files: CER file is used to store X.509 certificate. Normally used for SSL certification to verify and identify web servers security. The file contains information about certificate owner and public key. A CER file can be in binary (ASN.1 DER) or encoded with Base-64 with header and footer included (PEM), Windows will recognize either of these layout.
  • PVK files: Stands for Private Key. Windows uses PVK files to store private keys for code signing in various Microsoft products. PVK is proprietary format.
  • PFX files Personal Exchange Format, is a PKCS12 file. This contains a variety of cryptographic information, such as certificates, root authority certificates, certificate chains and private keys. It’s cryptographically protected with passwords to keep private keys private and preserve the integrity of the root certificates. The PFX file is also used in various Microsoft products, such as IIS.

for more information visit:Certificate Files: .Cer x .Pvk x .Pfx

Community
  • 1
  • 1
rahul_pratap
  • 1,065
  • 8
  • 13
17

I actually came across something like this not too long ago... check it out over on msdn (see the first answer)

in summary:

.cer - certificate stored in the X.509 standard format. This certificate contains information about the certificate's owner... along with public and private keys.

.pvk - files are used to store private keys for code signing. You can also create a certificate based on .pvk private key file.

.pfx - stands for personal exchange format. It is used to exchange public and private objects in a single file. A pfx file can be created from .cer file. Can also be used to create a Software Publisher Certificate.

I summarized the info from the page based on the suggestion from the comments.

Community
  • 1
  • 1
Ryan Ferretti
  • 2,891
  • 2
  • 27
  • 37
  • 3
    I would recommend quoting or summarizing the linked content in addition to the link itself. That way you both give proper credit and protect us from losing the information the next time MS redesigns their site. – Jonathan Allen Feb 18 '10 at 22:06
  • I've seen that link, but I it doesn't fully answer the question. – Jonathan Allen Feb 18 '10 at 22:08
  • 17
    Also, some of the information in the link is wrong. For example, you can't extract a private key from a certificate. Obviously. – erickson Feb 18 '10 at 22:08
  • 2
    To the comment above, it is not about extraction. It just does not make sense to have private keys in .cer files. A .cer file is supposed to be shared with outside world, so it carries only public key. – Rajiv Feb 17 '17 at 16:07