Cryptography Tutorials - Herong's Tutorial Notes
Dr. Herong Yang, Version 4.00

Certificate Formats - X.509, DER and PEM

Part:   1  2  3 

Certificate standard and file encodings seem to be confusing. I wrote down some notes about:

  • What is X.509 Certificate Standard?
  • PEM (Privacy Enhanced Mail) Encoding
  • DER (Distinguished Encoding Rules) Encoding
  • "keytool" Exporting Certificates in DER and PEM
  • "OpenSSL" Verifying "keytool" Certificates
  • "OpenSSL" Generating Certificates in DER and PEM
  • "keytool" Viewing "OpenSSL" Certificates
  • "keytool" Importing "OpenSSL" Certificates

X.509 Certificate Standard

X.509 is an international standard for what should be included in a digital certificate. Here is the definition from

A widely used standard for defining digital certificates. X.509 (Version 1) was first issued in 1988 as a part of the ITU X.500 Directory Services standard. When X.509 was revised in 1993, two more fields were added resulting in the Version 2 format. These two additional fields support directory access control. X.509 Version 3 defines the format for certificate extensions used to store additional information regarding the certificate holder and to define certificate usage. Collectively, the term X.509 refers to the latest published version, unless the version number is stated.

X.509 is published as ITU recommendation ITU-T X.509 (formerly CCITT X.509) and ISO/IEC/ITU 9594-8 which defines a standard certificate format for public key certificates and certification validation. With minor differences in dates and titles, these publications provide identical text in the defining of public-key and attribute certificates.

My understanding of X.509 is that a certificate is required to have the following information:

  • Version - X.509 standard version number.
  • Serial Number - A sequence number given to each certificate.
  • Signature Algorithm Identifier - Name of the algorithm used to sign this certificate by the issuer
  • Issuer Name - Name of the issuer.
  • Validity Period - Period during which this certificate is valid.
  • Subject Name - Name of the owner of the public key.
  • Subject Public Key Information - The public key and its related information.

The content structure of a Version 3 X.509 certificate should look like this:

        Version: 3 (0x2)
        Serial Number: 1185572113 (0x46aa6511)
        Signature Algorithm: dsaWithSHA1
        Issuer: C=CA, ST=Herong State, L=Herong City, ... 
            Not Before: Apr 1 21:35:13 2007 GMT
            Not After : Jun 30 21:35:13 2007 GMT
        Subject: C=CA, ST=Herong State, L=Herong City, ... 
        Subject Public Key Info:
            Public Key Algorithm: dsaEncryption
            DSA Public Key:
   Signature Algorithm: dsaWithSHA1

X.509 define how a certificate contents should be written. It does define how certificate contents should be encoded to store in files.

Two commonly used encoding schemas are used to store X.509 certificates in files, DER and PEM, as described in next sections.

PEM (Privacy Enhanced Mail) Encoding

The most commonly used encoding schema for X.509 certificate files is the PEM (Privacy Enhanced Mail) encoding.

Here is the definition of PEM on "Privacy Enhanced Mail (PEM), is an early IETF proposal for securing email using public key cryptography. Although PEM became an IETF proposed standard it was never widely deployed or used.

The full specification of PEM is in RFC 1421. But the idea of PEM encoding on X.509 certificates is very simple:

  • Encode the content with Base64 encoding.
  • Enclose the Base64 encoding output between two lines: "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"

Here is a structural sample of a PEM encoded X.509 certificate:


PEM encoded certificate files are supported by almost all applications. "OpenSSL" and "keytool" support PEM encoded certificate files with no problem. See other sections below for test notes.

(Continued on next part...)

Part:   1  2  3 

Dr. Herong Yang, updated in 2007
Cryptography Tutorials - Herong's Tutorial Notes - Certificate Formats - X.509, DER and PEM