Appendix A: MIME Types

File Types

When operating a PKI we deal with only a handful of file types:

  1. PKCS#8 private keys

  2. PKCS#10 CSRs

  3. X.509 certificates

  4. X.509 CRLs

  5. PKCS#7 bundles of one or more certificates

  6. PKCS#12 bundles of private key + one or more certificates

MIME Types

The list of MIME types and file extensions however is twice as long:

application/pkcs8                   .p8  .key
application/pkcs10                  .p10 .csr
application/pkix-cert               .cer
application/pkix-crl                .crl
application/pkcs7-mime              .p7c

application/x-x509-ca-cert          .crt
application/x-x509-user-cert        .crt
application/x-pkcs7-crl             .crl

application/x-pem-file              .pem
application/x-pkcs12                .p12 .pfx

application/x-pkcs7-certificates    .p7b .spc
application/x-pkcs7-certreqresp     .p7r

Where do they come from?

  1. pkcs8 and the .p8 extension are defined in RFC 5958#section-7.1. The .key extension is Apache mod_ssl practice. [1]

  2. pkcs10 and the .p10 extension are defined in RFC 5967#section-3.1. The .csr extension is Apache mod_ssl practice.

  3. pkix-cert and the .cer extension are defined in RFC 2585#section-4.1. The X.509 certificate format is defined in RFC 5280#section-4.

  4. pkix-crl and the .crl extension are defined in RFC 2585#section-4.2. The X.509 CRL format is defined in RFC 5280#section-5.

  5. pkcs7-mime and the .p7c extension are defined in RFC 5273#page-3. The PKCS#7 bundle format is defined in RFC 2315#section-9.1.

  6. x-x509-ca-cert and the .crt extension were introduced by Netscape. File contents are the same as with pkix-cert: a DER encoded X.509 certificate. [2]

  7. x-x509-user-cert was also introduced by Netscape. It is used to install certificates into (some) browsers.

  8. x-pkcs7-crl is another Netscape invention. Note that the .crl extension conflicts with pkix-crl. File contents are the same in either case: a DER encoded X.509 CRL. [3]

  9. x-pem-file and the .pem extension stem from a predecessor of S/MIME: Privacy Enhanced Mail.

  10. x-pkcs12 and the .p12 extension are used for PKCS#12 files. The .pfx extension is a relic from a predecessor of PKCS#12. It is still used in Microsoft environments (the extension not the format.)

  11. x-pkcs7-certificates as well as the .p7b and .spc extensions were introduced by Microsoft. File contents are the same as with pkcs7-mime: a DER encoded certs-only PKCS#7 bundle.

  12. x-pkcs7-certreqresp and the .p7r extension were also introduced by Microsoft. Likely yet another alias for pkcs7-mime.

Footnotes