SSL certificates come in several file formats that determine how they are stored and which servers accept them. Before working with certificate files, understand one key fact: file extensions do not reliably indicate encoding. A .crt file can be either PEM-encoded or DER-encoded. Always inspect the file content to confirm the actual format.
This topic covers the common formats, how to choose one for your server, how to identify an unknown file, and how to convert between formats.
Certificate file formats
| Extension | Encoding | Description |
|---|---|---|
.pem | Text (PEM) | The most common extension. Can store a certificate, private key, certificate chain, or a combination. Check the BEGIN/END markers to identify the content type. |
.key | Text (PEM) or binary (DER) | Typically stores a private key. |
.crt, .cer | Text (PEM) or binary (DER) | Typically contains only the certificate (public key and identity information), not the private key. Can be a single server certificate or a certificate chain that includes intermediate certificates. |
.pfx, .p12 | Binary (PKCS#12) | Bundles the server certificate, private key, and certificate chain in a single password-protected file. .pfx is the Windows convention; .p12 is the standard extension. |
.jks | Binary (JKS) | The proprietary Java Keystore (JKS) format. Stores key entries (private key and certificate chain) and trust entries (CA certificates). Since Java 9, PKCS#12 is the recommended format. |
Key concepts
SSL certificate files involve four related concepts: certificate components, encoding methods, container formats, and file extensions. Understanding the distinction between them makes it easier to work across different tools and servers.
Certificate components
SSL certificate: An identity credential containing the domain name, public key, issuer, and validity period.
Private key: Paired with the public key in the certificate. Used for identity authentication and encrypted communication. Keep the private key strictly confidential.
Certificate chain: The complete trust path from the server certificate to the root CA certificate, including one or more intermediate CA certificates.
Encoding methods
Encoding determines how binary data is serialized into a file.
Privacy-Enhanced Mail (PEM): A text format that uses Base64 encoding, enclosed by
-----BEGIN...-----and-----END...-----markers. A single PEM file can contain a certificate, a private key, or both.Distinguished Encoding Rules (DER): A binary format — the direct binary encoding of ASN.1 data. PEM is essentially DER data encoded in Base64 and wrapped in header/footer markers. DER files are more compact but cannot be read in a text editor.
Container formats
Container formats bundle multiple components into one file.
PFX/P12 (PKCS#12): A binary certificate store that packages the server certificate, private key, and intermediate certificate chain into a single password-protected file. Use this format when deploying to Windows IIS or Java application servers, or when migrating certificates between servers.
Java Keystore (JKS): A Java-specific certificate store. Migrate to PKCS#12 for broader compatibility — it has been the Java default since Java 9.
File extensions are a naming convention only. For example, a .crt file may be PEM-encoded or DER-encoded. Inspect the file content to confirm the actual format.Choose a format for your server
| Server | Format | Required files | Notes |
|---|---|---|---|
| Nginx, Apache | PEM | Certificate file (.pem or .crt) and private key file (.key) | Configure the certificate and private key files separately. The certificate file must be a complete chain that includes the server certificate and all intermediate certificates. |
| Tomcat, JBoss, WebLogic | PKCS#12 | Keystore file (.pfx or .p12) | The standard format for Java application servers. If still using JKS, migrate to PKCS#12. |
| IIS | PFX | Keystore file (.pfx) | Import the password-protected PFX file to deploy the certificate and private key together. |
| IBM WebSphere | KDB | Keystore file (.kdb) | A proprietary IBM format. Manage it using the iKeyman tool. |
After purchasing and issuing a certificate in Certificate Management Service, download it in the format your server requires. For more information, see Download an SSL certificate.
Building a certificate chain for Nginx and Apache
If the certificate authority (CA) provides a separate intermediate certificate file, concatenate it with the server certificate before deployment. Do not include the root CA certificate — include only the server certificate and intermediate certificates.
# Run on Linux or macOS
cat server.crt chain.crt > fullchain.crtIdentify certificate file formats
Before deploying, confirm the file format to avoid failures.
Identify PEM files by content
Open the file in a text editor. A PEM file contains an ASCII block with BEGIN and END markers. The marker identifies what the file contains:
-----BEGIN CERTIFICATE-----
MIIE5zCCA8+gAwIBAgIQN+whYc2BgzAogau0dc3PtzANBgkqh......
-----END CERTIFICATE-----Common markers:
| Marker | Content |
|---|---|
-----BEGIN CERTIFICATE----- | Certificate |
-----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY----- | Private key |
-----BEGIN ENCRYPTED PRIVATE KEY----- | Encrypted private key |
-----BEGIN EC PRIVATE KEY----- | Elliptic Curve (EC) private key |
Identify formats using OpenSSL
For binary files or when you need detailed information, use OpenSSL to inspect the file.
PEM certificate
# Displays subject, issuer, validity period, and other details
openssl x509 -in certificate.crt -noout -textIf the command succeeds, the file is a PEM-encoded certificate.
PEM private key
# Displays key type and length
openssl pkey -in private.key -noout -textPFX/P12 certificate store
# Lists all entries in the PKCS#12 file; prompts for the import password
openssl pkcs12 -in keystore.pfx -info -nooutDER certificate
# The -inform der flag tells OpenSSL to read binary DER input
openssl x509 -in certificate.der -inform der -noout -textConvert certificate formats
Two options are available for format conversion.
Option 1: Certificate Management Service conversion tool (no command line required)
Certificate Management Service provides a built-in conversion tool that supports conversion between PEM and PFX, PEM and JKS, and PEM and PKCS8 formats. See Certificate tools.
Option 2: OpenSSL command-line tool
OpenSSL is available on all operating systems and supports all common conversion paths.
Convert PEM to PFX (for IIS and Tomcat)
This command combines a certificate file, a private key file, and an optional chain file into a single password-protected PFX file.
# Server certificate and private key only
openssl pkcs12 -export \
-out server.pfx \ # Output PFX file
-inkey private.key \ # Private key file
-in server.crt # Server certificate
# With a complete certificate chain
openssl pkcs12 -export \
-out server.pfx \
-inkey private.key \
-in server.crt \
-certfile chain.crt # Intermediate certificate chainSplit PFX to PEM (for Nginx and Apache)
These commands extract the certificate and private key from a PFX file into separate PEM files.
# Step 1: Extract the private key (password-protected)
openssl pkcs12 -in server.pfx -nocerts -out server.encrypted.key
# Step 2: Extract the server certificate only (leaf certificate, no CA chain)
openssl pkcs12 -in server.pfx -clcerts -nokeys -out server.crt
# Step 3: Extract the intermediate CA certificates
# Note: The root CA certificate is not required for deployment
openssl pkcs12 -in server.pfx -cacerts -nokeys -out chain.crt
# Step 4 (optional): Remove the password from the private key
# Required for servers that start non-interactively (Nginx, Apache)
openssl pkey -in server.encrypted.key -out private.key
# Step 5 (optional): Concatenate into a single chain file
# Skip this step if chain.crt does not exist (no intermediate certs in the PFX)
# Order matters: server certificate first, then intermediate certificates
cat server.crt chain.crt > fullchain.crtThe resulting private.key file has no password protection. Restrict its permissions immediately: chmod 400 private.key (read-only for the file owner).
Nginx configuration after conversion:
ssl_certificate /path/to/fullchain.crt;
ssl_certificate_key /path/to/private.key;Apache configuration after conversion:
For Apache 2.4.8 and later:
SSLCertificateFile /path/to/fullchain.crt
SSLCertificateKeyFile /path/to/private.keyFor Apache earlier than 2.4.8, configure the intermediate chain separately:
SSLCertificateFile /path/to/server.crt
SSLCertificateKeyFile /path/to/private.key
SSLCertificateChainFile /path/to/chain.crtConvert between DER and PEM
DER and PEM represent the same data in different encodings — binary ASN.1 versus Base64-encoded ASN.1 with markers. Convert between them when a server or tool requires a specific encoding.
# DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem
# PEM to DER
openssl x509 -inform pem -in certificate.pem -outform der -out certificate.derConvert JKS to PKCS#12 (recommended migration path)
Use Java's keytool utility to convert a legacy Java Keystore (JKS) to PKCS#12.
keytool -importkeystore \
-srckeystore keystore.jks \ # Source JKS file
-srcstoretype JKS \
-destkeystore keystore.p12 \ # Output PKCS#12 file
-deststoretype PKCS12This migrates all entries from keystore.jks to keystore.p12. To migrate only a specific entry, add -srcalias <alias> and -destalias <alias>. The command prompts for both the source (JKS) password and the destination (PKCS#12) password.