Appendix A: MIME Types

File Types

When operating a PKI we deal with only a handful of file types:

1. PKCS#8 private keys

2. PKCS#10 CSRs

3. X.509 certificates

4. X.509 CRLs

5. PKCS#7 bundles of one or more certificates

6. PKCS#12 bundles of private key + one or more certificates

MIME Types

The list of MIME types and file extensions however is twice as long:

application/pkcs8                   .p8  .key
application/pkcs10                  .p10 .csr
application/pkix-cert               .cer
application/pkix-crl                .crl
application/pkcs7-mime              .p7c

application/x-x509-ca-cert          .crt
application/x-x509-user-cert        .crt
application/x-pkcs7-crl             .crl

application/x-pem-file              .pem
application/x-pkcs12                .p12 .pfx

application/x-pkcs7-certificates    .p7b .spc
application/x-pkcs7-certreqresp     .p7r

Where do they come from?

1. pkcs8 and the .p8 extension are defined in RFC 5958#section-7.1. The .key extension is Apache mod_ssl practice. [1]

2. pkcs10 and the .p10 extension are defined in RFC 5967#section-3.1. The .csr extension is Apache mod_ssl practice.

3. pkix-cert and the .cer extension are defined in RFC 2585#section-4.1. The X.509 certificate format is defined in RFC 5280#section-4.

4. pkix-crl and the .crl extension are defined in RFC 2585#section-4.2. The X.509 CRL format is defined in RFC 5280#section-5.

5. pkcs7-mime and the .p7c extension are defined in RFC 5273#page-3. The PKCS#7 bundle format is defined in RFC 2315#section-9.1.

6. x-x509-ca-cert and the .crt extension were introduced by Netscape. File contents are the same as with pkix-cert: a DER encoded X.509 certificate. [2]

7. x-x509-user-cert was also introduced by Netscape. It is used to install certificates into (some) browsers.

8. x-pkcs7-crl is another Netscape invention. Note that the .crl extension conflicts with pkix-crl. File contents are the same in either case: a DER encoded X.509 CRL. [3]

9. x-pem-file and the .pem extension stem from a predecessor of S/MIME: Privacy Enhanced Mail.

10. x-pkcs12 and the .p12 extension are used for PKCS#12 files. The .pfx extension is a relic from a predecessor of PKCS#12. It is still used in Microsoft environments (the extension not the format.)

11. x-pkcs7-certificates as well as the .p7b and .spc extensions were introduced by Microsoft. File contents are the same as with pkcs7-mime: a DER encoded certs-only PKCS#7 bundle.

12. x-pkcs7-certreqresp and the .p7r extension were also introduced by Microsoft. Likely yet another alias for pkcs7-mime.

Footnotes

[1]

The presence of a MIME type does not imply the respective files should be published on the Internet. In particular, you will never want to expose files containing private keys (.p8, .p12).

[2]

Since OpenSSL defaults to PEM encoding, almost all open-source software uses PEM formatted .crt files locally. See Apache mod_ssl, stunnel, etc.

[3]

This is a plain CRL and not PKCS#7 wrapped. The MIME type says ‘pkcs7’ for historical reasons only.