Basic of SSL Certificate Extension

One of the challenges in working in the IT industry is that it is not always a simple process of looking at something and knowing exactly what it does or what it encompasses. This certainly true with files, as sometimes the extensions on the file can be the same if an SSL certificate is present or if it is not.

Depending on what type of server you are using and what type of format the certificate was issued with there can be a different SSL certificate extension. It may be necessary to use an SSL (secure sockets layer) converter to change the format to match with a particular server. At Comodo, we offer these converter tools that are simple and easy to use regardless of the format.

The reason it is important to have different SSL certificate extension formats is because of the types of encoding or encryption as well as the types of information contained in the files. Different options in formats will either contain the private key along with other information or the private key can be in a separate file.

Either option is still secure and provides the level of protection needed for data; it is merely a factor of different server requirements.

The Starting Point

To start the process of obtaining any type of SSL certificate, including the free 90-day certificates offered by Comodo, the first step is always to generate a CSR. The CSR is the Certificate Signing Request. It is generated by the server where the SSL file will be installed.

The extension for the CSR will be .csr. This is an encrypted block of test that on an IIS system will include the initial string of –Begin New Certificate Request- and end with – End New Certificate Request-.

This entire block of encrypted text has to be copied and pasted into the application form for the Certificate Authority or CA. We make this process very easy with a simple application for our Comodo SSL and Wildcard SSL as well as with our free certificate. Within minutes after providing this information, you will receive the necessary files for the installation.

Since the EV SSL requires more specific types of validation and verification there are additional documentation requirements. We still complete these very quickly, allowing you to offer a secure website often in just a few hours.

The Extensions

One of the most common SSL certificate extension designations seen with many servers, including Window servers, is the Base64-encoded X.509. This will be designated with a .cer or .crt. This type of format will not store the private key or the certification path.

DER or Distinguished Encoding Rules format can include three different possible SSL certificate extension options. This includes .cer, .der or .crt. This is for the storage of a single certificate only.

Another option is the PKCS#7 format. This designation is the Cryptographic Message Syntax Standard and will include .p7b, .p7r or the extension of .spc. This is often the format used for chained SSL certificates and it also doesn't store the private key.

Personal Information Exchange Format or PKSC#12 will have the designation of .pfx or .p12. This type of format is unique in that it is the only option in an IIS server that can store the public key and the private key as well as the SSL data. This type of format requires a password to fully protect the private key.


It is possible for a Certificate Authority to revoke a certificate. An extension of .crl will indicate it is a file that contains information about the revocation of a certificate. This is not the same as a certificate expiration; rather the CA notifies the endpoints that the certificate is no longer valid because of the lack of trustworthiness.

This revocation can occur for several different reasons. The most common issue that occurs is an improperly issued certificate. This can be corrected if the accurate information is supplied to the CA. Often this occurs with CAs that do not follow their own written validation and verification procedures.

Other issues that can occur include a breach of security that may have or has compromised the private key for the SSL certificate. It can also occur if a new certificate is issued for an already secured domain, if the website is no longer owned by the original applicant or if the company or organization is no longer in business.

If you have any questions about SSL certificate extension designations, talk to our staff at +1 888 266 6361 or contact us by email through our chat system. If you need information before, during or after purchasing Comodo security products we are here to help.

Related Articles