X.509 CA certificate

application/x-x509-ca-cert

Extensions
.der .crt .pem
Compressible
unknown
Status
IANA-registered

A fossil from the Netscape era that outlived its habitat: this is the type browsers once expected when downloading a certificate authority's certificate for installation, and servers still send it for .crt and .der files. X.509 itself dates to the ITU-T in 1988; the profile everyone actually implements for the Internet is RFC 5280. The type was never registered — the modern registered options are application/pkix-cert for a single DER certificate and application/pem-certificate-chain for PEM. No single magic exists because the same certificate travels in two skins: binary DER, which typically opens with the ASN.1 bytes 30 82, or PEM, which is Base64 between -----BEGIN CERTIFICATE----- fences.

.der and often .crt are binary DER; .pem (and sometimes .crt again) is the Base64 armor — the extension is no guarantee.

Defined by RFC 5280 · IANA registration. Registry facts from the IANA media-types registry via mime-db.