What Are Mainstream Formats of Digital Certificates?
Mainstream web service software uses a basic password library provided by OpenSSL or Java.
- Tomcat, WebLogic, and JBoss use the password library provided by Java. Java Keystore (JKS) certificate files are generated with the Keytool tool in the Java Development Kit (JDK) tool package.
- Apache and Nginx use the password library provided by OpenSSL to generate PEM, KEY, or CRT certificate files.
- IBM web service products, such as WebSphere and IBM HTTP Server (IHS), use the built-in iKeyman tool to generate KDB certificate files.
- The Internet Information Services (IIS) service of Microsoft Windows Server uses the built-in certificate library to generate PFX certificate files.
Checking the Format of a Certificate File
- You can determine whether a certificate file is text or binary based on its name extension:
- A DER or CER file is binary and contains only the certificate information.
- A CRT file can be either binary or text. Most CRT files are text and have the same function as DER or CER files.
- A PEM file is text typically and contains a certificate or private key or both. If a PEM file contains only a private key, it is usually replaced by a KEY file.
- A PFX or P12 file is binary. Containing both a certificate and a private key, it is password protected typically.
- You can also use Notepad to open the certificate file. If strings of digits and letters are displayed in the file, the certificate file is in text format.
Examples:
—–BEGIN CERTIFICATE—– MIIE5zCCA8+gAwIBAgIQN+whYc2BgzAogau0dc3PtzANBgkqh...... —–END CERTIFICATE—–
- If --BEGIN CERTIFICATE-- is displayed, the file contains a certificate.
- If --BEGIN RSA PRIVATE KEY-- is displayed, the file contains a private key.
Certificate Format Conversion
Certificate formats as listed in Figure 1 can be converted mutually.
You can use the following methods to convert certificate formats:
- Converting from JKS into PFX
You can use the built-in Keytool of JDK to convert a JKS certificate file into PFX.
For example, you can run the following command to convert server.jks into server.pfx:
keytool -importkeystore -srckeystore D:\server.jks -destkeystore D:\server.pfx -srcstoretype JKS -deststoretype PKCS12
- Converting from PFX into JKS
You can use the built-in Keytool of JDK to convert a PFX certificate file into JKS.
For example, you can run the following command to convert server.pfx into server.jks:
keytool -importkeystore -srckeystore D:\server.pfx -destkeystore D:\server.jks -srcstoretype PKCS12 -deststoretype JKS
- Converting from PEM/KEY/CRT into PFX
You can use the OpenSSL tool to convert a KEY key file and CRT public key file into a PFX certificate file.
For example, copy the server.key key file and server.crt public key file to the OpenSSL tool installation directory and run the following command to convert the certificate into the server.pfx certificate file:
openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
- Converting from PFX into PEM/KEY/CRT
You can use the OpenSSL tool to convert a PFX certificate file into a PEM certificate file, KEY key file, and CRT public key file.
For example, copy your PFX certificate file to the OpenSSL tool installation directory, and use the OpenSSL tool to run the following command to convert it into the server.pem certificate file, server.key key file, and server.crt public key file:
openssl pkcs12 -in server.pfx -nodes -out server.pem
openssl rsa -in server.pem -out server.key
openssl x509 -in server.pem -out server.crt
This conversion method is used only for scenarios where OpenSSL is used to generate private keys and CSRs for applying for certificate files. Using this method, you can separate the private keys when you have obtained PEM public keys. When deploying a digital certificate, use the private key separated with this method to match the public key certificate issued to you.
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.