Typically, the mainstream web services are mostly based on the following cryptographic libraries:

  • Java cryptographic libraries are generally used for Tomcat, Weblogic, and JBoss web services. By using Keytool included in the Java Development Kit (JDK), you can generate certificates in the Java Keystore (JKS) format.
  • OpenSSL cryptographic libraries are generally used for Apache and Nginx web services to generate certificates in the PEM, KEY, and CRT formats.
  • For IBM web services such as Websphere and IBM HTTP Server (IHS), the built-in iKeyman tool is generally used to generate certificates in the KDB format.
  • For Internet information Services (IIS) in Microsoft Windows Server, cryptographic libraries built in Windows are used to generate certificates in the PFX format.

How do I determine whether a certificate is in text or binary format?

You can determine the format of a certificate with a suffix extension using the following methods:

  • *. DER or *.CER:  These two certificates are both in binary format. They contain only certificate information and not the private key.
  • *. *.CRT: This certificate can be in either text or binary format (commonly in text format). It has the same functions as *.DER and *. CER certificates. DER and *.  
  • *. *.PEM: This file is generally in text format, and includes either the certificate, or private key, or both. *. If a *.PEM file only contains the private key, it is generally replaced by the *.KEY extension.  
  • *. *.PFX or *. P12: These two certificates are both in binary format and contain both the certificate and private key. They are generally password-protected.
You can also use Notepad to open a certificate file to determine the format of the certificate. A text format example is as follows:

-- Begin certificate --
MIIE5zCCA8+gAwIBAgIQN+whYc2BgzAogau0dc3PtzANBgkqh......
—–END CERTIFICATE—–

 

  • If you see —–BEGIN CERTIFICATE—–, it indicates a certificate file.
  • If you see —–BEGIN RSA PRIVATE KEY—–, it indicates a private key file.

Certificate format conversion

The following flowchart demonstrates which certificate formats are interchangeable.

You can convert certificates between different formats using the following methods:
Note
Alibaba Cloud Certificates Service uses the PEM format for all digital certificates.
  • Convert from JKS to PFX
    You can use the built-in JDK tool Keytool to convert a certificate from JKS to PFX For example, you can convert server.jks to server.pfx by running the following command:
    keytool -importkeystore -srckeystore D:\server.jks -destkeystore D:\server.pfx
            -srcstoretype JKS -deststoretype PKCS12
  • Convert from PFX to JKS
    You can use the built-in JDK tool Keytool to convert a certificate from PFX to JKS. For example, you can convert server.pfx to server.jks by running the following command:
    keytool -importkeystore -srckeystore D:\server.pfx -destkeystore D:\server.jks
            -srcstoretype PKCS12 -deststoretype JKS
  • Convert from PEM/KEY/CRT to PFX
    You can use the OpenSSL tool to convert a .key private key file and a .crt public key file to a PFX certificate file. For example, you can copy the .key file (server.key) and the .crt file (server.crt) to the OpenSSL installation directory, and convert the files to server.pfx by running the following command in the OpenSSL tool:
    openssl pkcs12 -export -out server.pfx -inkey server.key -in server.crt
  • Convert from PFX to PEM/KEY/CRT

    You can use the OpenSSL tool to convert a PFX certificate to a .key private key file For example, you can copy the PFX certificate file to the OpenSSL installation directory, and convert the file to a server.pem certificate file, a .key private key file (server.key) and a.crt public key file (server.crt) by running the following command in the OpenSSL tool:

    • openssl pkcs12 -in server.pfx -nodes -out server.pem
    • openssl rsa -in server.pem -out server.key
    • openssl x509 -in server.pem -out server.crt
    Note
    This conversion method is specific to the situation where the private keys and CSR files are generated by Keytool. This method also allows you to extract the private key when you have received the PEM public key. In actual environments, we recommend that you combine the private key that you have extracted, and the public key certificate you have received, to deploy your digital certificate.