Relation between .p7b and .spc digital certificate files
My company have just renewed their digital certificate from Thawte. The previous certificate I was using had an 'spc' extension. The new certificate I've been handed ends in a 'p7b'.
Although I can use this p7b file directly for signing, I was just wondering whether there's some way to convert this to an spc file which I can then sign with as I was doing previously.
Is it a recommended practice to use p7b directly for signing? Secondly, what exactly is the relation, if any, between the two types of files?
Those are just two different filename extensions for PKCS #7 files. You can simply rename it from .p7b to .spc.
Unfortunately, I don't believe the PKCS specifications ever specified the filename extensions, MIME types, or "magic numbers" (first 4 bytes) of their file types (and to be fair, their file types are mostly text based, so magic numbers don't really apply), so different implementors have used different filename extensions for the same PKCS-related file types.
[Edit: I previously had written a cheat-sheet off the top of my head here, but I realized later I'd made a mistake. Here's a better cheat sheet from the X.509 article on Wikipedia:]
http://en.wikipedia.org/wiki/X.509#Certificate_filename_extensions
Certificate filename extensions
Common filename extensions for X.509 certificates are:
- .pem - (Privacy Enhanced Mail) Base64 encoded DER certificate, enclosed between "-----BEGIN CERTIFICATE-----" and "-----END CERTIFICATE-----"
- .cer, .crt, .der - usually in binary DER form, but Base64-encoded certificates are common too (see .pem above)
- .p7b, .p7c - PKCS#7 SignedData structure without data, just certificate(s) or CRL(s)
- .p12 - PKCS#12, may contain certificate(s) (public) and private keys (password protected)
- .pfx - PFX, predecessor of PKCS#12 (usually contains data in PKCS#12 format, e.g, with PFX files generated in IIS)
PKCS#7 is a standard for signing or encrypting (officially called "enveloping") data. Since the certificate is needed to verify signed data, it is possible to include them in the SignedData structure. A .P7C file is a degenerated SignedData structure, without any data to sign.
PKCS#12 evolved from the PFX (Personal inFormation eXchange) standard and is used to exchange public and private objects in a single file.
I also saw a link from a relevant Server Fault article to a useful Microsoft support knowledge base article that confirms that you can just rename a .p7b to .spc.