Filename extension | .p7b , .p7s , .p7m , .p7c , .p7r |
---|---|
Developed by | RSA Security |
Latest release | 1.5 1 March 1998 |
Type of format | Archive file format |
Container for | X.509 public key certificates, X.509 CRLs |
In cryptography, PKCS #7 ("PKCS #7: Cryptographic Message Syntax", "CMS") is a standard syntax for storing signed and/or encrypted data. PKCS #7 is one of the family of standards called Public-Key Cryptography Standards ( PKCS) created by RSA Laboratories.
The latest version, 1.5, is available as RFC 2315. [1]
An update to PKCS #7 is described in RFC 2630, [2] which was replaced in turn by RFC 3369, [3] RFC 3852 [4] and then by RFC 5652. [5]
PKCS #7 files may be stored both as raw
DER format or as
PEM format. PEM format is the same as DER format but wrapped inside
Base64 encoding and sandwiched in between ‑‑‑‑‑BEGIN PKCS7‑‑‑‑‑ and ‑‑‑‑‑END PKCS7‑‑‑‑‑. Windows uses the .p7b
file name extension
[6] for both these encodings.
A typical use of a PKCS #7 file would be to store certificates and/or certificate revocation lists (CRL).
Here's an example of how to first download a certificate, then wrap it inside a PKCS #7 archive and then read from that archive:
$ echo '' | openssl s_client -connect example.org:443 -host example.org 2>/dev/null | openssl x509 > example.org.cer 2>/dev/null
$ openssl crl2pkcs7 -nocrl -certfile example.org.cer -out example.org.cer.pem.p7b
$ openssl pkcs7 -in example.org.cer.pem.p7b -noout -print_certs
subject=C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
.p7r
– response to CSR. Contains the newly-signed certificate, and the CA's own cert..p7s
- Digital Signature. May contain the original signed file or message. Used in
S/MIME for email signing. Defined in RFC 2311..p7m
- Message (SignedData, EnvelopedData) e.g. encrypted ("enveloped") file, message or MIME email letter. Defined in RFC 2311..p7c
- degenerated SignedData "certs-only" structure, without any data to sign. Defined in RFC 2311..p7b
- SignedData structure without data, just certificate(s) bundle and/or
CRLs (rarely) but not a private key. Uses
DER form or
BER or PEM that starts with -----BEGIN PKCS7-----
. The format used by Windows for certificate interchange. Supported by Java but often has .keystore
as an extension instead. Unlike .pem
style certificates, this format has a defined way to include certification-path certificates.
Filename extension | .p7b , .p7s , .p7m , .p7c , .p7r |
---|---|
Developed by | RSA Security |
Latest release | 1.5 1 March 1998 |
Type of format | Archive file format |
Container for | X.509 public key certificates, X.509 CRLs |
In cryptography, PKCS #7 ("PKCS #7: Cryptographic Message Syntax", "CMS") is a standard syntax for storing signed and/or encrypted data. PKCS #7 is one of the family of standards called Public-Key Cryptography Standards ( PKCS) created by RSA Laboratories.
The latest version, 1.5, is available as RFC 2315. [1]
An update to PKCS #7 is described in RFC 2630, [2] which was replaced in turn by RFC 3369, [3] RFC 3852 [4] and then by RFC 5652. [5]
PKCS #7 files may be stored both as raw
DER format or as
PEM format. PEM format is the same as DER format but wrapped inside
Base64 encoding and sandwiched in between ‑‑‑‑‑BEGIN PKCS7‑‑‑‑‑ and ‑‑‑‑‑END PKCS7‑‑‑‑‑. Windows uses the .p7b
file name extension
[6] for both these encodings.
A typical use of a PKCS #7 file would be to store certificates and/or certificate revocation lists (CRL).
Here's an example of how to first download a certificate, then wrap it inside a PKCS #7 archive and then read from that archive:
$ echo '' | openssl s_client -connect example.org:443 -host example.org 2>/dev/null | openssl x509 > example.org.cer 2>/dev/null
$ openssl crl2pkcs7 -nocrl -certfile example.org.cer -out example.org.cer.pem.p7b
$ openssl pkcs7 -in example.org.cer.pem.p7b -noout -print_certs
subject=C = US, ST = California, L = Los Angeles, O = Internet Corporation for Assigned Names and Numbers, OU = Technology, CN = www.example.org issuer=C = US, O = DigiCert Inc, CN = DigiCert SHA2 Secure Server CA
.p7r
– response to CSR. Contains the newly-signed certificate, and the CA's own cert..p7s
- Digital Signature. May contain the original signed file or message. Used in
S/MIME for email signing. Defined in RFC 2311..p7m
- Message (SignedData, EnvelopedData) e.g. encrypted ("enveloped") file, message or MIME email letter. Defined in RFC 2311..p7c
- degenerated SignedData "certs-only" structure, without any data to sign. Defined in RFC 2311..p7b
- SignedData structure without data, just certificate(s) bundle and/or
CRLs (rarely) but not a private key. Uses
DER form or
BER or PEM that starts with -----BEGIN PKCS7-----
. The format used by Windows for certificate interchange. Supported by Java but often has .keystore
as an extension instead. Unlike .pem
style certificates, this format has a defined way to include certification-path certificates.