Relation between .p7b and .spc digital certificate files

2

My company have just renewed their digital certificate from Thawte. The previous certificate I was using had an 'spc' extension. The new certificate I've been handed ends in a 'p7b'.

Although I can use this p7b file directly for signing, I was just wondering whether there's some way to convert this to an spc file which I can then sign with as I was doing previously.

Is it a recommended practice to use p7b directly for signing? Secondly, what exactly is the relation, if any, between the two types of files?

Frederick

Posted 2010-03-23T14:24:53.877

Reputation: 559

Answers

4

Those are just two different filename extensions for PKCS #7 files. You can simply rename it from .p7b to .spc.

Unfortunately, I don't believe the PKCS specifications ever specified the filename extensions, MIME types, or "magic numbers" (first 4 bytes) of their file types (and to be fair, their file types are mostly text based, so magic numbers don't really apply), so different implementors have used different filename extensions for the same PKCS-related file types.

[Edit: I previously had written a cheat-sheet off the top of my head here, but I realized later I'd made a mistake. Here's a better cheat sheet from the X.509 article on Wikipedia:]

http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions

Certificate filename extensions

Common filename extensions for X.509 certificates are:

  • .pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
  • .cer, .crt, .der - usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
  • .p7b, .p7c - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
  • .p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected)
  • .pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g, with PFX files generated in IIS)

PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.

PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to exchange public and private objects in a single file.

I also saw a link from a relevant Server Fault article to a useful Microsoft support knowledge base article that confirms that you can just rename a .p7b to .spc.

Spiff

Posted 2010-03-23T14:24:53.877

Reputation: 84 656

So does that mean from an end-user's perspective a p7b file is equivalent to an spc file? That is, is it just fine to use a p7b for signing just like one would use an spc? – Frederick – 2010-03-24T12:44:03.647

1Well, you don't sign with a certificate, because a certificate only contains your public key. You sign with a private key. I don't think your .spc file ever contained a private key. I think the software you were using may have looked at the public key in the certificate in the .spc and then looked up your private key somewhere else, like in your Mac OS X keychain, or in your Windows certificate store. But yes, as far as I can tell, .p7b and .spc are the same thing, so you could even just rename your new file to .spc if you wanted, and you should be able to use it the same way you always have. – Spiff – 2010-03-24T15:00:09.157

Asked: 2010-03-23T14:24:53.877

Viewed: 4 097 times

Active: 2010-03-27T00:43:45.203