Common web server software

Common web server software uses OpenSSL and Java cryptographic libraries.

  • Web server software such as Tomcat, WebLogic, and JBoss generally uses the Java cryptographic libraries to generate JKS certificate files. In this case, Keytool that comes with Java Development Kit (JDK) is used.
  • Web server software such as Apache and NGINX generally uses the OpenSSL cryptographic libraries to generate PEM, KEY, and CRT certificate files.
  • Web server software of IBM, such as WebSphere and IBM HTTP Server (IHS), generally uses iKeyman that comes with IBM services to generate KDB certificate files.
  • Internet Information Services(IIS) of Microsoft Windows Server uses the built-in certificate library of Windows to generate PFX certificate files.

Certificate file formats

The following table describes common formats of certificate files. You can distinguish certificate files based on the file extensions.

File extensionFile typeDescription
*.DER or *.CERBinaryThe certificate file contains only the certificate information and does not contain the private key.
*.CRTBinary or textThe certificate file contains only the certificate information and does not contain the private key.
*.PEMTextIn most cases, the certificate file contains the certificate information or the private key. The certificate file can also contain both the certificate information and the private key. If a .PEM file contains only the private key, the file can be replaced by a *.KEY file.
*.PFX or *.P12BinaryThe certificate file contains both the certificate information and the private key, and is protected by a password in most cases.
Note Certificate formats can be converted. For more information, see How do I convert the format of a certificate?
You can use a notepad to open a certificate file. If regular digits and letters are displayed, the certificate file is a text file. The following example shows a text certificate file:

--BEGIN CERTIFICATE--
MIIE5zCCA8+gAwIBAgIQN+whYc2BgzAogau0dc3PtzANBgkqh......
--END CERTIFICATE--
  • If --BEGIN CERTIFICATE-- exists, the file is a certificate authority (CA) certificate file.
  • If --BEGIN RSA PRIVATE KEY-- exists, the file is a private key file.

If you want to install a certificate on a server, you can download a certificate of the required type in the Certificate Management Service console based on the server type. For more information, see Download a certificate to your computer.