Monday, March 03, 2008

Summary of X.509 certificate file types

What is the difference between .spc and .cer? .pvk and .pfx?

As part of my ongoing mission to try to understand X509 certificates I wanted to figure out how to copy a test SSL certificate from one PC to another. The problem is makecert.exe generated a .cer file and I needed a .pfx file to import the certificate on the other server.

Use the -pe option with makecert.exe to create and install a certificate with an exportable private key. This should allow you to export the .pfx file from Certificates console.

Otherwise, use cert2spc.exe and pvkimprt.exe to convert the .cer and .pvk created by makecert.exe to a .pfx file:
makecert -pe -n "CN=My Root CA, O=Test, OU=For Testing Only!" -ss my -sr LocalMachine -a sha1 -sky signature -r -sv test.pvk test.cer
cert2spc test.cer test.spc
pvkimprt -pfx test.spc test.pvk
Or use pvk2pfx instead of the above:
pvk2pfx -pvk test.pvk -spc test.cer -pfx test.pfx -po pfx_password_here -f
X.509 File Types:
  • .CER = "DER" encoded binary X.509 Certificate file, e.g. as created by makecert. Contains only the public key.
  • .CRT = base-64 encoded X.509 certificate. (Not the same as a Microsoft standard base-64 .cer file...?)
  • .SPC = Software Publisher's Certificate. PKCS #7 standard that contains X.509 certificates. The cert2spc.exe utility converts a .cer file to .spc. .spc files are used as input to signcode.exe.
  • .PVK = private key file, e.g. as created by makecert.
  • .PFX = Personal Exchange file, contains certs with both the public and private key. PKCS#12 standard, binary DER encoded.
Some Windows certificate tools:
  • makecert.exe
  • pvkimprt.exe
  • cert2spc.exe
  • selfssl.exe
  • pvk2pfx.exe
  • certmgr.exe
See also:
Post a Comment