Appendix A: MIME Types

File Types

When operating a PKI we deal with only a handful of file types:

  1. PKCS#8 private keys

  2. PKCS#10 CSRs

  3. X.509 certificates

  4. X.509 CRLs

  5. PKCS#7 bundles of two or more certificates

  6. PKCS#12 bundles of private key + certificate(s)

MIME Types

The list of MIME types and file extensions however is easily twice as long:

application/pkcs8                   .p8  .key
application/pkcs10                  .p10 .csr
application/pkix-cert               .cer
application/pkix-crl                .crl
application/pkcs7-mime              .p7c

application/x-x509-ca-cert          .crt .der
application/x-x509-user-cert        .crt
application/x-pkcs7-crl             .crl

application/x-pem-file              .pem
application/x-pkcs12                .p12 .pfx

application/x-pkcs7-certificates    .p7b .spc
application/x-pkcs7-certreqresp     .p7r

Where do they come from?

  1. pkcs8 and the .p8 extension are defined in RFC 5958#section-7.1. The .key extension is Apache mod_ssl practice. 1

  2. pkcs10 and the .p10 extension are defined in RFC 5967#section-3.1. The .csr extension is Apache mod_ssl practice.

  3. pkix-cert and the .cer extension are defined in RFC 2585#section-4.1.

  4. pkix-crl and the .crl extension are defined in RFC 2585#section-4.2 as well.

  5. pkcs7-mime and the .p7c extension are defined in RFC 5273#page-3.

  6. x-x509-ca-cert and the .crt extension were introduced by Netscape. File contents are the same as with pkix-cert: a DER encoded X.509 certificate. [RFC 5280#section-4] 2

  7. x-x509-user-cert was also introduced by Netscape. It is used to install certificates into (some) browsers.

  8. x-pkcs7-crl was introduced by Netscape as well. Note that the .crl extension conflicts with pkix-crl. File contents are the same in either case: a DER encoded X.509 CRL. [RFC 5280#section-5] 3

  9. x-pem-file and the .pem extension stem from a predecessor of S/MIME: Privacy Enhanced Mail.

  10. x-pkcs12 and the .p12 extension are used for PKCS#12 files. The .pfx extension is a relic from a predecessor of PKCS#12. It is still used in Microsoft environments (the extension not the format.)

  11. x-pkcs7-certificates as well as the .p7b and .spc extensions were introduced by Microsoft. File contents are the same as with pkcs7-mime: a DER encoded certs-only PKCS#7 bundle. [RFC 2315#section-9.1]

  12. x-pkcs7-certreqresp and the .p7r extension were also introduced by Microsoft. Likely yet another alias for pkcs7-mime.



The presence of a MIME type does not imply the respective files should be published on the Internet. In particular, you will never want to expose files containing private keys (.p8, .p12).


Since OpenSSL defaults to PEM encoding, almost all open-source software uses PEM formatted .crt files locally. See Apache mod_ssl, stunnel, etc.


This is a plain CRL and not PKCS#7 wrapped. The MIME type says ‘pkcs7’ for historical reasons only.