Appendix A: MIME Types

File Types

When operating a PKI we deal with only a handful of file types:

  1. PKCS#8 private keys
  2. PKCS#10 CSRs
  3. X.509 certificates
  4. X.509 CRLs
  5. PKCS#7 bundles of two or more certificates
  6. PKCS#12 bundles of private key + certificate(s)

MIME Types

The list of MIME types and file extensions however is easily twice as long:

application/pkcs8                   .p8  .key
application/pkcs10                  .p10 .csr
application/pkix-cert               .cer
application/pkix-crl                .crl
application/pkcs7-mime              .p7c

application/x-x509-ca-cert          .crt .der
application/x-x509-user-cert        .crt
application/x-pkcs7-crl             .crl

application/x-pem-file              .pem
application/x-pkcs12                .p12 .pfx

application/x-pkcs7-certificates    .p7b .spc
application/x-pkcs7-certreqresp     .p7r

Where do they come from?

  1. pkcs8 and the .p8 extension are defined in RFC 5958#section-7.1. The .key extension is Apache mod_ssl practice. [1]
  2. pkcs10 and the .p10 extension are defined in RFC 5967#section-3.1. The .csr extension is Apache mod_ssl practice.
  3. pkix-cert and the .cer extension are defined in RFC 2585#section-4.1.
  4. pkix-crl and the .crl extension are defined in RFC 2585#section-4.2 as well.
  5. pkcs7-mime and the .p7c extension are defined in RFC 5273#page-3.
  6. x-x509-ca-cert and the .crt extension were introduced by Netscape. File contents are the same as with pkix-cert: a DER encoded X.509 certificate. [RFC 5280#section-4] [2]
  7. x-x509-user-cert was also introduced by Netscape. It is used to install certificates into (some) browsers.
  8. x-pkcs7-crl was introduced by Netscape as well. Note that the .crl extension conflicts with pkix-crl. File contents are the same in either case: a DER encoded X.509 CRL. [RFC 5280#section-5] [3]
  9. x-pem-file and the .pem extension stem from a predecessor of S/MIME: Privacy Enhanced Mail.
  10. x-pkcs12 and the .p12 extension are used for PKCS#12 files. The .pfx extension is a relic from a predecessor of PKCS#12. It is still used in Microsoft environments (the extension not the format.)
  11. x-pkcs7-certificates as well as the .p7b and .spc extensions were introduced by Microsoft. File contents are the same as with pkcs7-mime: a DER encoded certs-only PKCS#7 bundle. [RFC 2315#section-9.1]
  12. x-pkcs7-certreqresp and the .p7r extension were also introduced by Microsoft. Likely yet another alias for pkcs7-mime.


[1]The presence of a MIME type does not imply the respective files should be published on the Internet. In particular, you will never want to expose files containing private keys (.p8, .p12).
[2]Since OpenSSL defaults to PEM encoding, almost all open-source software uses PEM formatted .crt files locally. See Apache mod_ssl, stunnel, etc.
[3]This is a plain CRL and not PKCS#7 wrapped. The MIME type says ‘pkcs7’ for historical reasons only.