Differences in certificate formats

Choosing based on web service software

Tomcat, Weblogic, JBoss, and other similar services use the password library provided by Java. The Java Keytool tool is used to generate the Java Keystore (JKS) certificate file format.

Apache, Nginx and others use the OpenSSL password library to generate certificate file formats such as PEM, KEY, CRT.

In addition, IBM products, such as WebSphere, IBM HTTP Server (IHS), etc., use the iKeyman tool included with IBM products to generate KDB format certificate files.

Internet Information Services (IIS) in Microsoft Windows Server uses the built-in Windows certificate library to generate PFX format certificate files.

Choosing based on the certificate extension

DER, CER: These certificate files are in binary format and only contain the certificate information, they don’t include the private key. Normally they are used to store the public key only.

CRT: This can be in binary format or text format, it’s suitable for use with Apache, Nginix, etc.

PEM: This is generally a text format that can contain the certificate, private key, or both. If a *.PEM file only contains a private key, it is generally replaced with a *.KEY extension. This format is suitable for Apache, Nginx, etc.

PFX, P12: These are binary formats that contain both the certificate and the private key, they are usually password protected. They are suitable for Microsoft’s IIS.

JKS: Suitable for use with Tomcat, weblogic, JBoss, etc.