简体繁体 English

.cer和pfx文件有什么区别

[英]what is the difference between .cer & pfx file

原文 2014-04-01 14:07:34 0 5 ssl/ certificate

People used to say - 人们曾经说过-

cer - certificate stored in the X.509 standard format. cer-以X.509标准格式存储的证书。 This certificate contains information about the certificate's owner... along with public and private keys. 该证书包含有关证书所有者的信息以及公共和私有密钥。

pfx - stands for personal exchange format. pfx-代表个人交换格式。 It is used to exchange public and private objects in a single file. 它用于在单个文件中交换公共和私有对象。 A pfx file can be created from .cer file. 可以从.cer文件创建pfx文件。 Can also be used to create a Software Publisher Certificate. 也可以用于创建软件发布者证书。

** got ref from this link What is the difference between a cer, pvk, and pfx file? **从此链接获得引用cer，pvk和pfx文件之间有什么区别？ ** **

but nobody is saying when we should use CERT file and when we should use PFX file. 但是没有人说何时应该使用CERT文件以及何时应该使用PFX文件。 If possible please discuss the situation when we should go for CERT file & when we should go for PFX file. 如果可能的话，请讨论应该何时使用CERT文件以及何时应该使用PFX文件的情况。 Thanks. 谢谢。

5 个解决方案

A .pfx includes both the public and private key for the associated certificate (NEVER share this outside your organization); .pfx包含相关证书的公共密钥和私有密钥（切勿在组织外部共享此密钥）； it can be used for TLS/SSL on web site, for digitally signing messages or authorization tokens, or for authenticating to a partner system. 它可以用于网站上的TLS / SSL，数字签名消息或授权令牌，或用于对合作伙伴系统进行身份验证。 A .cer file only has the public key (this is what you typically exchange with integration partners); .cer文件仅具有公共密钥（通常与集成合作伙伴交换）。 it can be used to verify tokens or client authentication requests, and it is what is received by an HTTP client from a server in the SSL handshake. 它可以用于验证令牌或客户端身份验证请求，它是HTTP客户端通过SSL握手从服务器接收到的内容。

2 x scenarios that work slightly differently: 2种方案的工作方式略有不同：

SCENARIO 1: 场景1：
Web Browser (Client) accessing Web Page (Server) over HTTPS using SSL. Web浏览器（客户端）使用SSL通过HTTPS访问Web页面（服务器）。

The Server has the .PFX File containing both keys. 服务器具有包含两个密钥的.PFX文件。 The Client connects to a Website on the Server, and the Server sends a copy of its Public-Key (.CER file) to the Client as part of the SSL handshake. 客户端连接到服务器上的网站，并且服务器将其公钥（.CER文件）的副本发送到客户端，作为SSL握手的一部分。 The Client then generates a "SESSION-Key" and encrypts it using the public-key received from the server. 客户端随后生成“会话密钥”，并使用从服务器接收的公共密钥对其进行加密。 The Session-key is then sent back to the server and decrypted to confirm its authenticity. 然后将会话密钥发送回服务器并解密以确认其真实性。 If successfully, both the Client and Server now share the "Session-Key" to communicate using symmetric encryption (ie both client and server, now both encrypt AND decrypt all messages between each other using the same session-key. All of this is being done behind the scenes in the background of the web browser, between the time of you entering the URL in the address bar, and seeing the web page appear. 如果成功，则客户端和服务器现在都共享“会话密钥”以使用对称加密进行通信（即，客户端和服务器现在都使用相同的会话密钥对彼此之间的所有消息进行加密和解密。所有这些都在在您在地址栏中输入URL到看到网页出现之间，在Web浏览器后台的幕后进行。

SCENARIO 2: 场景2：
Application (Client) connects to a FTP Site (Server) 应用程序（客户端）连接到FTP站点（服务器）
or 要么
Remote Desktop (Client to Server) using SSH 使用SSH的远程桌面（客户端到服务器）
(both examples would apply) （两个例子都适用）

In this scenario, both the Client and Server will have their own private and public key pairs 在这种情况下， 客户端和服务器将拥有自己的私人和公共密钥对
(in contrast to the other examples mentioned in this thread, that only explain when a server has both keys, and the client has the public key only) （与该线程中提到的其他示例相反，该示例仅说明服务器何时具有两个密钥，而客户端仅具有公共密钥）

Now, for explanation purposes - Lets label the Key pairs something like: 现在，出于说明目的-让我们将“密钥对”标记为类似以下内容：
A1 and A2 = as the Servers Private and Public Keys Respectively A1和A2 =分别作为服务器的私钥和公钥
B1 and B2 = as the Clients Private and Public Keys Respectively B1和B2 =分别作为客户的私钥和公钥

Using this model, previous posts in this thread were talking about when the Server has A1 and A2 ( .PFX file ), and shares only a copy of A2 ( .CER ) with clients 使用此模型，该线程中的先前帖子都在谈论服务器何时具有A1和A2 （ .PFX文件 ），并且仅与客户端共享A2 （ .CER ）的副本

Whereas FTP, or SSH connections (there are other examples out there) consist of A1 , A2 , B1 and B2 Keys in the entire Client-Server Communication. FTP或SSH连接（还有其他示例）在整个客户端-服务器通信中由A1 ， A2 ， B1和B2密钥组成。 For instance, 例如，
- Client connects to FTP Server. -客户端连接到FTP服务器。
- Server Sends copy of its public Key (A2) to the Client. -服务器将其公钥（A2）的副本发送给客户端。
- Client sends its own public key (B2) back to the Server, completing the handshake. -客户端将其自己的公钥（B2）发送回服务器，完成握手。
- This will now be using asymmetric Encryption -现在将使用非对称加密

Server now has A1 , ( its own Private ), A2 ( its own public ), and copy of B2 ( Client's Public ) 服务器现在具有A1 ，（ 其自己的私有 ）， A2 （ 其自己的公开 ）和B2的副本（ 客户的公开 ）
Client now has B1 , ( its own Private ), B2 ( its own public ), and Copy of A1 ( Server's Public ) 客户端现在具有B1 ，（ 其自己的私有 ）， B2 （ 其自己的公共 ）和A1的副本（ 服务器的公共 ）

Client-To-Server Comms: 客户端到服务器的通信：
Client uses A2 (servers public key) to encrypt messages bound for the Server, Server decrpyts them using A1 (Server private key) 客户端使用A2（服务器公钥）对绑定到服务器的消息进行加密，服务器使用A1（服务器私钥）解密它们

Server-To-client Comms: 服务器到客户端的通信：
Server uses B2 (clients public key) to encrypt message bound for the Client, Client Decrypts them using B1 (Client private key) 服务器使用B2（客户端公共密钥）对绑定到客户端的消息进行加密，客户端使用B1（客户端私有密钥）对其进行解密

Regarding the .CER and .PFX file Types, the Server ill have its own .PFX that shouldn't be distributed outside your organisation, instead, you should distribute the .CER file out to Clients. 关于.CER和.PFX文件类型，服务器具有自己的.PFX，不应将其分发到组织外部，而应将.CER文件分发给客户端。

more info can be found here: 更多信息可以在这里找到：
https://www.digicert.com/ssl-cryptography.htm https://www.digicert.com/ssl-cryptography.htm

and here: 和这里：
https://serverfault.com/questions/107433/why-does-a-ssh-public-key-sit-on-the-server-and-not-with-the-client https://serverfault.com/questions/107433/why-does-a-ssh-public-key-sit-on-the-server-and-not-with-the-client

In my experience (it's not as vast as i want it to be) i use a pfx file when configuring the https binding on an IIS server (since this contains both the public and the private key, you are fine with just that file), a cer file is just the public portion of the key pair (most of the times) and you need to use it in conjunction with a .key file when configuring the ssl traffic on an nginx or apache server, 根据我的经验（这并不像我想要的那么大），我在IIS服务器上配置https绑定时使用了pfx文件（因为它既包含公钥也包含私钥，所以只使用该文件就可以了）， cer文件只是密钥对的公共部分（大多数情况下），在nginx或apache服务器上配置SSL流量时，您需要将它与.key文件结合使用，

As far as i understand there are no more hard reasons to use one or the other, 据我了解，再也没有其他理由使用其中一种，

As has been mentioned, the question is a bit of apples and oranges, as the cer file is just the public key but the pfx file contains both public and private keys. 如前所述，这个问题有点像苹果和橘子，因为cer文件只是公共密钥，而pfx文件包含公共密钥和私有密钥。

So a more fair question would be when would you want to use a pfx file as opposed to a pem file. 因此，更公平的问题是您何时要使用pfx文件而不是pem文件。 Given that pfx files have been criticized for being overly complex, a fair answer to your second question might be: you would only ever want to use a pfx file if you're running IIS and its configuration absolutely won't let you use anything else. 鉴于pfx文件过于复杂而受到批评，第二个问题的合理答案可能是：如果您正在运行IIS，并且您的配置绝对不允许您使用其他任何东西，则您永远只想使用pfx文件。。

Source: https://en.wikipedia.org/wiki/PKCS_12 (Referenced footnote is an article from Peter Gutmann.) 来源： https ： //en.wikipedia.org/wiki/PKCS_12 （参考脚注是Peter Gutmann的文章。）

SSL uses asynchronous encryption, which means that one key (the private key) is given to the server that "owns" the key pair, while the other key (the public key) is distributed freely. SSL使用异步加密，这意味着将一个密钥（私钥）提供给“拥有”密钥对的服务器，而另一个密钥（公钥）则自由分发。
It is called asynchronous because data encrypted with the private key can only be decrypted with the public key, while data encrypted with the public key can only be decrypted with the private key. 之所以称为异步，是因为用私钥加密的数据只能用公钥解密，而用公钥加密的数据只能用私钥解密。 So if you want to send something securely to the owner, you encrypt it with his private key and he will be the only one who can decrypt it. 因此，如果您想安全地发送东西给所有者，请用他的私钥对其进行加密，而他将是唯一可以解密它的人。 If the owner wants to prove that he sent something, he encrypts it with the private key and anyone who has the public key can decrypt it. 如果所有者想要证明自己发送了某些内容，则可以使用私钥对其进行加密，拥有公钥的任何人都可以对其进行解密。 (Once the certificates are installed, this is usually done behind the scenes by the browser or email tool.) （一旦安装了证书，通常是通过浏览器或电子邮件工具在后台进行的。）
Since the owner wants to keep that private key private, it will be password protected and given ONLY to the owning server (often in a PFX or P12 file). 由于所有者希望将该私钥保持私有状态，因此将对其进行密码保护，并且仅将其提供给拥有的服务器（通常在PFX或P12文件中）。 But the public key will be distributed freely (often in a CER file). 但是公钥将自由分发（通常在CER文件中）。