Download a private client certificate or a private server certificate - Certificate Management Service

After a private certificate is issued from a private intermediate certificate authority (CA), download it and deliver it to the target user for installation.

Prerequisites

Before you begin, ensure that you have:

A private certificate issued from a private intermediate CA. For more information, see Apply for a private certificate

Download a certificate

Log in to the Certificate Management Service console.
In the left navigation pane, choose Certificate Management > Private Certificate Management. Select the region where the PCA service is located.
On the Private CAs tab, find the private intermediate CA that issued the certificate, then click Certificates in the Actions column.
On the Certificates page, find the certificate you want to download, then click Download in the Actions column.
In the Download Certificate dialog box, select a Certificate Format and click Confirm and Download.
To include the complete certificate chain in the downloaded package, turn on Include Trust Chain.

Certificate formats

Each format produces a different set of files. Choose the format that matches your server or application.

Format	Private key in package	Typical use	Files in package
PEM	Yes	Apache, NGINX	`.pem` (public key), `.key` (private key)
PFX (PKCS#12)	Yes	IIS, Exchange (Windows)	`.pfx` (public key + private key), `.txt` (private key password)
JKS	Yes	Tomcat, Jetty (Java)	`.jks` (public key + private key), `.txt` (private key password)
PKCS#8	Yes	Apache	`.pem` (public key), `.key` (private key)
CRT	Yes (as separate `.key` file)	Identity verification for servers and clients	`.crt` (public key, named `xxx_public.crt`), `.crt` (certificate chain, named `xxx_chain.crt` — only if Include Trust Chain is selected), `.key` (private key)

Format details:

PEM is a Base64-encoded format.
PFX is a binary format, also known as PKCS#12. It bundles the public key and private key into a single file.
JKS is a keystore format for Java.
PKCS#8 is a standard file format for storing private keys.
CRT is a binary format. The certificate file contains the issuer information, validity period, and subject, but does not embed the private key directly — the private key is included as a separate .key file.