Certificate filename extensions

Common filename extensions for X.509 certificates are

.pem - Privacy Enhanced Mail

Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

Note that one file may contain several certs, but openssl only parses the first.

View certificate: openssl x509 -text -in cert.pem -noout

.cer, .crt, .der

Usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)

.p7b, .p7c - PKCS#7

SignedData structure without data, just certificate(s) or CRL(s). Used in Cryptographic Message Syntax.

.p12 - PKCS#12

May contain certificate(s) (public) and private keys (password protected)

FIREFOX EXPORTFORMAT

.pfx - PFX

Predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g., with PFX files generated in IIS)

PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.

PKCS#12 evolved from the personal information exchange (PFX) standard and is used to exchange public and private objects in a single file.

Conversions

From PKCS#12 to PEM
openssl pkcs12 -in keycert.p12 -out keycert.pem -nodes