When using Vault PKI Secret Engine, a Vault admin or user may encounter multiple file extension throughout the process. Here is a quick overview of differences between .pem
, .key
, .csr
/ .req
,and.crt
or.cer
file extensions:
.pem
stands for PEM, Privacy Enhanced Mail; it simply indicates a base64 encoding with header and footer lines. PEM files are used to store SSL certificates and their associated private keys. Multiple certificates are in the full SSL chain, and they work in this order:- The end-user certificate, which is assigned to your domain name by a certificate authority (CA). This is the file you use in nginx and Apache to encrypt HTTPS.
- Up to four optional intermediate certificates, given to smaller certificate authorities by higher authorities.
- The root certificate, the highest certificate on the chain, which is self-signed by the primary CA.
.key
is usually the private key. OpenSSL can wrap private keys for all algorithms (RSA, DSA, EC) in a generic and standard PKCS 8 structure, but it also supports a separate 'legacy' structure for each algorithm. Both are still widely used even though the documentation has marked PKCS 8 as superior for almost 20 years; both can be stored as DER (binary) or PEM encoded, and both PEM and PKCS#8 DER can protect the key with password-based encryption or be left unencrypted.
.csr
or.req
stands for Certificate Signing Request as defined in PKCS#10. It contains information such as the public key and common name required by a Certificate Authority to create and sign a certificate for the requester. The encoding could be PEM or DER (which is a binary encoding of an ASN.1 specified structure).
.crt
or.cer
stands for certificate, usually an X509v3 certificate, again the encoding could be PEM or DER. A certificate contains the public key, but it contains much more information (most importantly the signature by the Certificate Authority over the data and public key, of course).