Certificates and Private Keys

Digital certificate files may or may not include a private key, depending on their format and intended use. Here's a breakdown:

These formats typically contain only the public certificate (and sometimes a certificate chain):

Format	Extension	Description
X.509 PEM	`.cer`, `.crt`, `.pem`	Base64-encoded certificate between `-----BEGIN CERTIFICATE-----` and `-----END CERTIFICATE-----`.
X.509 DER	`.cer`, `.der`	Binary-encoded certificate without private key.
PKCS#7 (CMS)	`.p7b`, `.p7c`	May contain a certificate or chain, but no private key.

Format	Extension	Description
PKCS#12 / PFX	`.pfx`, `.p12`	Binary format that bundles the certificate, private key, and optionally a chain. Usually password-protected.
PEM with private key	`.pem`, `.key`	May include both certificate and private key as Base64 text.

-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----

Certificates can be stored in the Windows Certificate Store (using MMC or Certmgr).
Private keys are often stored in a CSP or KSP and are non-exportable unless explicitly allowed.
Examples:
- MY (Personal) store for user-level certs.
- Certificates may be backed by TPM, smart card, or HSM.

Private keys never leave the device.
Operations like signing or decryption are performed inside the secure element.
Access typically uses a PKCS#11 interface or proprietary API.
Example: A certificate stored on a YubiKey or REALSEC HSM is publicly accessible, but private key use requires PIN and cannot be exported.

File Contains Private Key?	Format Examples
No	`.cer`, `.crt`, `.der`, `.p7b`
Yes	`.pfx`, `.p12`, `.pem` (with key), `.key`

Platform	Key Storage Location
Windows	Certificate Store, CSP/KSP
macOS	Keychain
Smart Card	PKCS#11 or native interface
HSM	Enforced secure hardware storage