11.2.8. Storing certificates and keys

When importing/exporting keys and certificates, they can be stored in various file formats. MS supports the use of the PEM, DER, and PKCS12 file formats. The main differences between them are summarized below.

  • PEM: PEM (Privacy Enhanced Mail) is an ASCII text format that can store all parts of the certificate, that is, certificate, certificate signing request (CSR), Certificate Revocation List (CRL), private key (which can be optionally protected with a password). It is not necessary to store all parts in a single file.

    Tip

    If nothing restricts it, it is recommended to use the PEM format.

  • DER: The DER (Distinguished Encoding Rules) format stores any single part of a certificate in a binary file.

  • PKCS12: The PKCS12 (Public Key Cryptography Standards) is a binary file format developed to provide an easy and convenient way to backup or transport certificates. The file always contains a password-encrypted private key and the associated certificate.