Digital Certificate (CRT) Format

Overview

CRT (Certificate) files contain digital certificates in various formats, most commonly X.509 certificates used for SSL/TLS, code signing, and other cryptographic applications. These certificates establish trust relationships, verify identities, and enable secure communications across networks and applications.

Technical Details

File Extensions: .crt, .cer, .cert, .pem, .der
MIME Type: application/x-x509-ca-cert
Format Types: DER (binary), PEM (Base64), PKCS#7, PKCS#12
Standard: X.509 v3
Encoding: ASN.1 DER/BER
Key Algorithms: RSA, ECDSA, DSA

Certificates contain:

• Public key and algorithm information
• Subject and issuer distinguished names
• Validity period (not before/not after)
• Extensions (key usage, subject alternative names)
• Digital signature

Key Features

• Identity Verification: Proves ownership of public keys
• Chain of Trust: Hierarchical trust relationships
• Cryptographic Binding: Links identity to public key
• Revocation Support: Certificate revocation lists (CRL)
• Multiple Formats: DER, PEM, PKCS#7, PKCS#12
• Extensions: Flexible attribute system

Certificate Types

SSL/TLS Certificates

Types:
├── Domain Validated (DV)
├── Organization Validated (OV)
├── Extended Validation (EV)
├── Wildcard certificates
├── Multi-domain (SAN) certificates
└── Self-signed certificates

Code Signing Certificates

Applications:
├── Software executables
├── Driver signing
├── Macro signing
├── Mobile app signing
└── Browser extensions

Client Authentication

Uses:
├── VPN authentication
├── Email signing (S/MIME)
├── Network access control
├── Smart card authentication
└── Two-factor authentication

File Formats

PEM Format (Base64)

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAKoK/heBjcOuMA0GCSqGSIb3DQEBBQUAMEUxCzAJBgNV
BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
aWRnaXRzIFB0eSBMdGQwHhcNMTkwMTA1MTIzNjU5WhcNMjkwMTAyMTIzNjU5WjBF
MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAuL3GHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74B
ZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGH
Oh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k
2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjR
caD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4
HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh7
4BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2Lz
GHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD
5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNT
jRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZ
L4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHO
h74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2
LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRc
aD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4H
NTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74
BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzG
HOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5
k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTj
RcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL
4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh
74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2L
zGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRca
D5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HN
TjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74B
ZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGH
Oh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k
2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjR
caD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4
HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh7
4BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2LzGHOh74BZL4HNTjRcaD5k2Lz
-----END CERTIFICATE-----

DER Format (Binary)

# View binary DER certificate
openssl x509 -in certificate.der -inform DER -text -noout

# Convert DER to PEM
openssl x509 -in certificate.der -inform DER -out certificate.pem -outform PEM

Common Use Cases

1. Web Security: SSL/TLS website certificates
2. Email Security: S/MIME email encryption/signing
3. Code Signing: Software authenticity verification
4. VPN Authentication: Client and server certificates
5. Device Authentication: IoT and embedded systems
6. Document Signing: PDF and office document signing

Command Line Tools

OpenSSL

# View certificate details
openssl x509 -in certificate.crt -text -noout

# Verify certificate chain
openssl verify -CAfile ca.crt certificate.crt

# Check certificate expiration
openssl x509 -in certificate.crt -noout -dates

# Extract public key
openssl x509 -in certificate.crt -pubkey -noout

# Check certificate against private key
openssl x509 -in certificate.crt -modulus -noout
openssl rsa -in private.key -modulus -noout

# Convert formats
openssl x509 -in cert.pem -outform DER -out cert.der
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem

# Create certificate chain
cat certificate.crt intermediate.crt root.crt > fullchain.crt

Certificate Request (CSR) Generation

# Generate private key and CSR
openssl req -new -newkey rsa:2048 -nodes -keyout domain.key -out domain.csr

# Generate CSR from existing key
openssl req -new -key existing.key -out domain.csr

# View CSR details
openssl req -in domain.csr -text -noout

# Self-signed certificate
openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

Certificate Validation

# Verify certificate against CA
openssl verify -CAfile ca-bundle.crt certificate.crt

# Check certificate chain
openssl s_client -connect example.com:443 -showcerts

# Verify certificate dates
openssl x509 -in certificate.crt -noout -checkend 86400  # Check if expires in 24h

# Check certificate purpose
openssl x509 -in certificate.crt -noout -purpose

Programming APIs

OpenSSL C API

#include <openssl/x509.h>
#include <openssl/pem.h>
#include <openssl/ssl.h>

// Load certificate from file
X509* load_certificate(const char* filename) {
    FILE* fp = fopen(filename, "r");
    if (!fp) return NULL;
    
    X509* cert = PEM_read_X509(fp, NULL, NULL, NULL);
    fclose(fp);
    return cert;
}

// Verify certificate
int verify_certificate(X509* cert, X509_STORE* store) {
    X509_STORE_CTX* ctx = X509_STORE_CTX_new();
    X509_STORE_CTX_init(ctx, store, cert, NULL);
    
    int result = X509_verify_cert(ctx);
    X509_STORE_CTX_free(ctx);
    return result;
}

// Extract certificate information
void print_certificate_info(X509* cert) {
    char* subject = X509_NAME_oneline(X509_get_subject_name(cert), NULL, 0);
    char* issuer = X509_NAME_oneline(X509_get_issuer_name(cert), NULL, 0);
    
    printf("Subject: %s\n", subject);
    printf("Issuer: %s\n", issuer);
    
    free(subject);
    free(issuer);
}

Python cryptography

from cryptography import x509
from cryptography.hazmat.primitives import hashes, serialization
from cryptography.x509.oid import NameOID
import datetime

# Load certificate
def load_certificate(filename):
    with open(filename, 'rb') as f:
        cert_data = f.read()
        
    if filename.endswith('.pem') or filename.endswith('.crt'):
        return x509.load_pem_x509_certificate(cert_data)
    else:
        return x509.load_der_x509_certificate(cert_data)

# Extract certificate information
def get_certificate_info(cert):
    subject = cert.subject
    issuer = cert.issuer
    
    info = {
        'subject': {attr.oid._name: attr.value for attr in subject},
        'issuer': {attr.oid._name: attr.value for attr in issuer},
        'serial_number': cert.serial_number,
        'not_valid_before': cert.not_valid_before,
        'not_valid_after': cert.not_valid_after,
        'signature_algorithm': cert.signature_algorithm_oid._name
    }
    
    return info

# Verify certificate chain
def verify_certificate_chain(cert, intermediate_certs, root_cert):
    try:
        store = x509.verification.StoreBuilder().add_certs([root_cert])
        for intermediate in intermediate_certs:
            store = store.add_certs([intermediate])
        
        builder = x509.verification.PolicyBuilder().store(store.build())
        verifier = builder.build()
        
        chain = verifier.build_chain(cert, intermediate_certs)
        return True, chain
    except Exception as e:
        return False, str(e)

# Check certificate expiration
def check_expiration(cert, days_ahead=30):
    now = datetime.datetime.utcnow()
    expiry = cert.not_valid_after
    days_until_expiry = (expiry - now).days
    
    return {
        'expired': now > expiry,
        'expires_soon': days_until_expiry <= days_ahead,
        'days_until_expiry': days_until_expiry,
        'expiry_date': expiry
    }

Java

import java.security.cert.*;
import java.io.*;
import java.util.*;

public class CertificateManager {
    
    // Load certificate from file
    public static X509Certificate loadCertificate(String filename) 
            throws Exception {
        FileInputStream fis = new FileInputStream(filename);
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        X509Certificate cert = (X509Certificate) cf.generateCertificate(fis);
        fis.close();
        return cert;
    }
    
    // Verify certificate chain
    public static boolean verifyCertificateChain(X509Certificate[] chain, 
            X509Certificate rootCert) throws Exception {
        
        // Create certificate path
        CertificateFactory cf = CertificateFactory.getInstance("X.509");
        CertPath certPath = cf.generateCertPath(Arrays.asList(chain));
        
        // Create trust anchor
        TrustAnchor anchor = new TrustAnchor(rootCert, null);
        Set<TrustAnchor> anchors = Collections.singleton(anchor);
        
        // Validate path
        PKIXParameters params = new PKIXParameters(anchors);
        params.setRevocationEnabled(false); // Disable CRL checking
        
        CertPathValidator validator = CertPathValidator.getInstance("PKIX");
        validator.validate(certPath, params);
        
        return true;
    }
    
    // Extract certificate information
    public static void printCertificateInfo(X509Certificate cert) {
        System.out.println("Subject: " + cert.getSubjectDN());
        System.out.println("Issuer: " + cert.getIssuerDN());
        System.out.println("Serial: " + cert.getSerialNumber());
        System.out.println("Valid from: " + cert.getNotBefore());
        System.out.println("Valid to: " + cert.getNotAfter());
        System.out.println("Signature algorithm: " + cert.getSigAlgName());
    }
}

Certificate Management

Certificate Stores

# Windows Certificate Store
certmgr.msc  # Certificate Manager
certlm.msc   # Local Machine certificates

# Linux/Unix stores
/etc/ssl/certs/           # System certificates
/usr/local/share/ca-certificates/  # Local certificates
~/.ssl/                   # User certificates

# Update certificate store (Ubuntu/Debian)
sudo update-ca-certificates

Certificate Installation

# Install certificate to system store (Linux)
sudo cp certificate.crt /usr/local/share/ca-certificates/
sudo update-ca-certificates

# Windows (PowerShell)
Import-Certificate -FilePath certificate.crt -CertStoreLocation Cert:\LocalMachine\Root

# macOS
sudo security add-trusted-cert -d -r trustRoot -k /System/Library/Keychains/SystemRootCertificates.keychain certificate.crt

Security Best Practices

Certificate Validation

def validate_certificate_security(cert):
    checks = {}
    
    # Check key size
    public_key = cert.public_key()
    if hasattr(public_key, 'key_size'):
        checks['key_size_ok'] = public_key.key_size >= 2048
    
    # Check signature algorithm
    sig_alg = cert.signature_algorithm_oid._name
    checks['secure_signature'] = sig_alg not in ['md5WithRSAEncryption', 'sha1WithRSAEncryption']
    
    # Check validity period
    validity_period = cert.not_valid_after - cert.not_valid_before
    checks['reasonable_validity'] = validity_period.days <= 825  # Max 27 months
    
    # Check critical extensions
    checks['has_key_usage'] = any(
        isinstance(ext.value, x509.KeyUsage) 
        for ext in cert.extensions if ext.critical
    )
    
    return checks

Certificate Pinning

# HTTP certificate pinning example
import ssl
import socket
import hashlib

def pin_certificate(hostname, port, expected_fingerprint):
    context = ssl.create_default_context()
    
    with socket.create_connection((hostname, port)) as sock:
        with context.wrap_socket(sock, server_hostname=hostname) as ssock:
            cert_der = ssock.getpeercert(binary_form=True)
            fingerprint = hashlib.sha256(cert_der).hexdigest()
            
            if fingerprint != expected_fingerprint:
                raise Exception(f"Certificate pinning failed: {fingerprint}")
            
            return True

Troubleshooting

Common Issues

# Certificate verification failures
openssl verify -verbose -CAfile ca.crt certificate.crt

# Date/time issues
openssl x509 -in certificate.crt -noout -dates
date  # Check system time

# Chain order issues
openssl s_client -connect example.com:443 -showcerts | openssl x509 -text

# Hostname mismatch
openssl s_client -connect example.com:443 -verify_hostname example.com

Debugging SSL/TLS

# Detailed SSL connection info
openssl s_client -connect example.com:443 -debug -state -verify 5

# Check cipher suites
openssl s_client -connect example.com:443 -cipher 'HIGH:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!SRP:!CAMELLIA'

# Test specific TLS version
openssl s_client -connect example.com:443 -tls1_2

Digital certificates in CRT format remain fundamental to modern cryptographic infrastructure, providing the trust foundation for secure communications, authentication, and data integrity across diverse computing environments.