What are the common SSL certificate formats - Certificate Management Service

This topic covers common certificate file formats and related concepts. It explains how to identify formats, select the right one for popular web servers, and convert between them using ready-to-use commands.

Common certificate file formats

Different servers require different certificate formats. For details, see Certificate format selection for major web servers. After purchasing and issuing a certificate in the Certificate Management Service console, download the certificate file in the format your server requires. For more information, see Download an SSL certificate.

File extension	Content format	Description
`.pem`	Text format (PEM)	A common extension. Can store a certificate, private key, certificate chain, or a combination of them. Check the BEGIN/END markers in the file to determine its specific content.
`.key`	Text format (PEM) or binary format (DER)	Typically stores a private key file.
`.crt`, `.cer`	Text format (PEM) or binary format (DER)	Typically contains only the certificate (public key and identity information) and not the private key. It can be a single server certificate or a certificate chain file that includes intermediate certificates.
`.pfx`, `.p12`	Binary format (PKCS#12)	Can contain a server certificate, private key, and certificate chain in a single file. This format is usually password-protected. `.pfx` is more common in Windows, while `.p12` is the standard extension.
`.jks`	Binary format (JKS)	A proprietary Java Keystore format, used to store key entries (private key and certificate chain) and trust entries (CA certificates). Since Java 9, PKCS#12 has become the default recommended format.

Certificate format selection for major web servers

Server type	Recommended format	Required files	Description
Nginx, Apache	PEM	Certificate file (`.pem`/`.crt`) Private key file (`.key`)	Requires separate configuration for the certificate and private key files. The certificate file should be a complete certificate chain that includes the server certificate and all intermediate certificates.
Tomcat, JBoss, WebLogic	PFX/P12 (PKCS#12)	Keystore file (`.pfx`/`.p12`)	The standard PKCS#12 format is recommended for Java application servers. If you still use the legacy JKS format, migrate to PKCS#12.
IIS	PFX	Keystore file (`.pfx`)	The standard format for Windows IIS servers. Deploy the certificate and private key by importing a password-protected PFX file.
IBM WebSphere	KDB	Keystore file (`.kdb`)	A proprietary format managed using the official IBM `iKeyman` tool.

For Nginx and Apache, if the certificate authority (CA) provides a separate intermediate certificate file, combine the server certificate with the intermediate certificate to create a complete chain file before deployment. You usually do not need to include the root CA certificate. Concatenate only the server certificate and intermediate certificates.

# Run in a Linux or macOS terminal.
cat server.crt chain.crt > fullchain.crt

Concepts related to SSL certificate files

SSL certificate files involve the following four core concepts:

Certificate components: The core elements that constitute secure SSL communication.
- SSL certificate: An identity credential that contains information such as the domain name, public key, issuer, and validity period.
- Private key: Forms a key pair with the public key in the certificate. It is used for identity authentication and encrypted communication. The private key must be kept strictly confidential.
- Certificate chain: The complete trust path from the server certificate to the root CA certificate. It contains one or more intermediate CA certificates.
Encoding method: The method for serializing content into a data stream.
- Privacy-Enhanced Mail (PEM): A text format that uses Base64 encoding and is enclosed by -----BEGIN...----- and -----END...----- markers. A PEM file can contain a certificate, a private key, or a combination of both.
- Distinguished Encoding Rules (DER): A binary format. It is the binary encoding of ASN.1. PEM is a text-based encapsulation of Base64-encoded DER data with BEGIN/END markers. DER files are smaller than PEM files but cannot be easily read in a text editor.
Container format: A standard for bundling one or more certificate components.
- PFX / P12 (PKCS#12): A binary format certificate store. It bundles the server certificate, private key, and intermediate certificate chain into one password-protected encrypted file. This is the preferred format when migrating certificates between servers (especially Windows IIS) or providing certificates to Java application servers because it streamlines deployment.
- JKS (Java Keystore): A Java-specific certificate store format. Although it is still used by some legacy Java applications, the industry now recommends using the more universal PKCS#12 format.
File name extensions: The suffix of a file, such as .pem, .crt, .key, and .pfx.
Note
File name extensions are only a naming convention and do not reliably indicate the file's encoding. For example, a .crt file can be either PEM-encoded or DER-encoded. Inspect the file's content to determine its actual format.

How to identify certificate file formats

Before deployment, use these methods to identify the certificate file format and prevent deployment failures.

Identify by text content (PEM format)

Open the file in a text editor. If you see an ASCII block in the following format, the file is PEM-encoded. Otherwise, use an OpenSSL tool to identify the format.

-----BEGIN CERTIFICATE-----
MIIE5zCCA8+gAwIBAgIQN+whYc2BgzAogau0dc3PtzANBgkqh......
-----END CERTIFICATE-----

Common markers include the following:

-----BEGIN CERTIFICATE-----: A certificate file.
-----BEGIN PRIVATE KEY----- or -----BEGIN RSA PRIVATE KEY-----: A private key file.
-----BEGIN ENCRYPTED PRIVATE KEY-----: An encrypted private key file.
-----BEGIN EC PRIVATE KEY-----: An Elliptic Curve (EC) private key file.

Identify using the OpenSSL tool

For binary files that cannot be read in a text editor, or when you need to obtain detailed information, use the OpenSSL command-line tool to identify the format.

Identify a PEM-formatted certificate file.
If the file content starts with -----BEGIN CERTIFICATE-----, it is a PEM-encoded certificate.
```
# View the details of a PEM certificate
openssl x509 -in certificate.crt -noout -text
```
Identify a PEM-formatted private key file.
If the file content starts with -----BEGIN PRIVATE KEY-----, -----BEGIN RSA PRIVATE KEY-----, -----BEGIN ENCRYPTED PRIVATE KEY-----, or -----BEGIN EC PRIVATE KEY-----, it is a PEM-encoded private key.
```
# View the details of a PEM private key
openssl pkey -in private.key -noout -text
```

Identify a PFX/P12 certificate store.
This is a binary format that contains both a certificate and a private key.

# View the content of a PFX file. You will be prompted to enter a password.
openssl pkcs12 -in keystore.pfx -info -noout

Identify a DER-formatted certificate.
DER is the binary encoding format for certificates. The file cannot be read in a text editor. It is commonly used for Java applications, mobile platforms, and Windows certificate stores.
```
# View the details of a DER certificate
openssl x509 -in certificate.der -inform der -noout -text
```

Convert certificate formats

You can convert certificate formats in two ways:

Use the conversion tool in Certificate Management Service: This service provides convenient certificate tools that support quick conversion between formats such as PEM, PFX, and JKS without requiring command-line operations.
Use the OpenSSL command-line tool: OpenSSL is the most versatile certificate processing tool. It is available on all operating systems and provides highly customizable conversion options.

Use the conversion tool in Certificate Management Service

Alibaba Cloud Certificate Management Service provides an SSL certificate format conversion tool. It supports conversion between PEM and PFX, PEM and JKS, and PEM and PKCS8 formats. For more information, see Certificate tools.

Use the OpenSSL command-line tool

Convert PEM to PFX (for IIS, Tomcat)

This command combines a certificate file (.crt), a private key file (.key), and an optional certificate chain file into a single password-protected PFX file.

# Run this command if you have only a server certificate and a private key.
openssl pkcs12 -export -out server.pfx -inkey private.key -in server.crt

# Run this command if you have a complete certificate chain.
openssl pkcs12 -export -out server.pfx -inkey private.key -in server.crt -certfile chain.crt

Split PFX into PEM (for Nginx, Apache)
This command extracts the certificate (including the certificate chain) and the private key from a PFX file to generate separate PEM files.
```
# 1. Extract the password-protected private key.
openssl pkcs12 -in server.pfx -nocerts -out server.encrypted.key

# 2. Extract the server leaf certificate (without the CA chain).
openssl pkcs12 -in server.pfx -clcerts -nokeys -out server.crt

# 3. Extract the intermediate CA certificates (Note: The root CA certificate is usually not required).
openssl pkcs12 -in server.pfx -cacerts -nokeys -out chain.crt

# 4. (Optional) Remove the password protection from the private key for non-interactive startup of Nginx or Apache.
openssl pkey -in server.encrypted.key -out private.key

# 5. (Optional) Concatenate the files into a complete certificate chain file for Nginx or Apache
# Order: server certificate first, then intermediate certificates (if there are multiple, append them in order)
# Note: If chain.crt does not exist (no intermediate certificates in the PFX file), skip this step.
cat server.crt chain.crt > fullchain.crt
```
Note
The final private.key file is a private key without password protection and can be used directly in the server configuration. Ensure that its file permissions are strictly controlled (for example, chmod 400 private.key to allow read-only access for the file owner).
If a certificate chain exists and you have concatenated the files into a complete certificate chain file, use the following settings for deployment:
- Nginx: Set ssl_certificate to the path of the fullchain.crt file and ssl_certificate_key to the path of the private.key file.
- Apache: Set SSLCertificateFile to the path of the fullchain.crt file (for Apache 2.4.8 and later) and SSLCertificateKeyFile to the path of the private.key file. For Apache versions earlier than 2.4.8, you must configure the intermediate certificate chain separately in the SSLCertificateChainFile directive.
Convert between DER and PEM
DER and PEM are respectively the binary encoding of ASN.1 and a Base64-encoded version of DER with BEGIN/END markers. Their content is identical, but their encoding is different.
```
# Convert DER to PEM
openssl x509 -inform der -in certificate.cer -out certificate.pem

# Convert PEM to DER
openssl x509 -inform pem -in certificate.pem -outform der -out certificate.der
```
Convert JKS to PFX/P12 (recommended migration path) If you use a legacy JKS Keystore, convert it to the more universal PFX/P12 format using Java's keytool utility.
```
keytool -importkeystore -srckeystore keystore.jks -srcstoretype JKS -destkeystore keystore.p12 -deststoretype PKCS12
```
Note
This command migrates all entries from keystore.jks to the new keystore.p12 file. If you want to migrate only specific entries, you can append the -srcalias "your_alias" and -destalias "your_alias" parameters. During the process, you will be prompted to enter the password for the destination keystore (PFX/P12) and the source keystore (JKS).