What are certificate formats and what is the difference between them?

There is a multitude of server and device types out there. Ones that allow an SSL to be installed and configured require the digital certificate file to be encoded and formatted in a certain way. All you need to know is that there are several file extension types and encoding formats. Plus, to successfully install an SSL on your server, you will need to know which type exactly your server or device requires. In some cases, the server can accept different certificate formats, and they can be interchangeable. In other cases, however, a particular file type and encoding are required. This article is more of a hands-on guide on how to handle the certificate files received in an SSLs.com order. For an in-depth approach to this topic, feel free to check the X.509 article on Wikipedia and the comprehensive definition of X.509 certificate and CRL in a Request for Comments (RFC) publication by Internet Engineering Task Force (IETF).

Once you’ve got your certificate files, seeing your file extension will allow you to know what’s in the file, and which file fits best your needs.

*.pem, *.crt, *.ca-bundle, *.cer, *.p7b, *.p7s files contain one or more X.509 digital certificate files that use base64 (ASCII) encoding. You get one of those in a zip file downloaded from your user account, or receive such file from the Certificate Authority.

You may also encounter *.pfx files. This is an archive file format for storing several cryptographic objects in a single file. In the scope of SSL certificates for SSL/TLS client and SSL/TLS webserver authentication (the ones we offer), a .pfx file must contain the end-entity certificate (issued to your domain), a matching private key, and may optionally include an intermediate certification authority (a.k.a. CA Bundle). All this is wrapped up in a single file which is then protected with a pfx password. We can’t possibly provide you with a ready .pfx file, since it has a private key as the second essential element. Private key must be kept secret and is something that you generate alongside with the certificate signing request (CSR) by using available server tools, asking your webhost to generate it for you, or using an online CSR + private key generation tool.

When ordering a certificate on SSLs.com, there are two ways you can get your certificate files.

Option #1: take the cert files from the order fulfillment email sent by the Certificate Authority. Such email is sent to the administrative email address once the validation requirements are met and the certificate is issued. The file type and encoding format of the certificate files depend on the webserver type chosen by the user in the course of SSL activation.


If "I'm installing on a Windows server or Java Tomcat server" was chosen,

you should receive a file with .cer, .p7s or .p7b file extension. Those should be equally accepted by a server designed to use such certificate files. The file extension may vary between different certificate issuer companies.


Those have PKCS #7 file type, and are mostly used in Windows or Java-based server environments (e.g. Internet Information Server (IIS), MS Exchange server, Java Tomcat, etc). PKCS #7 certificate file includes the end-entity certificate (the one issued to your domain name), plus one or more trusted intermediate certification authority files.


(file with -----BEGIN PKCS7---- line on top means that it’s a PKCS7 security certificate file)


If "Any other server (ex. Apache)" was selected during SSL activation, the Certificate Authority’s email should contain files with .crt and .ca-bundle file extensions.

Those are PEM encoded, x509 certificates.



(-----BEGIN CERTIFICATE---- header starts a PEM encoded certificate)


Option #2 to get your certificate files is to download the cert files zip archive right to your SSLs.com account.

For that, you will need to click on the ID of the certificate when it’s showing "Active" (meaning the cert is issued)...


...and on the next page, hit the "Download" button in the top right corner.


This way you will have a zip archive with all the necessary certificate files in it.


The range of cert file types available in the zip is most likely to be enough. However, if your server requires .DER (binary) encoded certificate file or something else, you can use our online SSL certificate converter or consult your hosting provider.

Once you have defined the type of cert files the server was designed to accept, and you managed to get them, you can proceed with installing these files on your server and making further configurations.

For instructions on SSL installation for different server types, feel free to browse our Knowledgebase section dedicated to “SSL Installation instructions”.

Powered by Zendesk