Skip to main content
Apply for Free SSL Certificates

When deploying SSL certificates, different servers require different formats of certificate files. Common certificate file formats include the following:

  • PEM
    • Suitable for Apache, Nginx, Candy Server and other web servers
    • Common file extensions are .pem, .crt, .cer, .key
    • Can store certificates or private keys, or both
    • .key extension is generally only used for certificate private key files
  • PFX
    • Suitable for IIS and other web servers
    • Common file extensions are .pfx, .p12
    • Contains both certificate and private key, and generally has password protection
  • JKS
    • Suitable for Tomcat, Weblogic, JBoss, Jetty and other web servers
    • Common file extension is .jks

SSL certificates issued by Let's Encrypt generally include the following files:

  • cert.key (PEM format): Private key file
  • cert.cer (PEM format): Certificate file
  • fullchain.cer (PEM format): Contains certificate and intermediate certificate

Below we introduce how to use cert.key, cert.cer, fullchain.cer to generate cert.pfx, cert.jks, and how to convert between them

  • PEM ===> PFX

    • Tool: openssl
    • Command: Use cert.key and fullchain.cer files to generate cert.pfx
      openssl pkcs12 -export -out cert.pfx -inkey cert.key -in fullchain.cer

  • PFX ===> JKS

    • Tool: keytool
    • Command: Use cert.pfx to generate cert.jks
      keytool -importkeystore -srckeystore cert.pfx -destkeystore cert.jks -srcstoretype PKCS12 -deststoretype JKS

  • PEM ===> JKS

    • Need to use the two methods above, first convert PEM file to PFX file, then convert PFX file to JKS file

  • PFX ===> PEM

    • Tool: openssl
    • Command 1: Use cert.pfx file to generate temporary file temp.cer, temp.cer contains certificate and private key
      openssl pkcs12 -in cert.pfx -nodes -out temp.cer
    • Command 2: Use temporary file temp.cer to generate private key file cert.key
      openssl rsa -in temp.cer -out cert.key
    • Command 3: Use temporary file temp.cer to generate certificate file cert.cer
      openssl x509 -in temp.cer -out cert.cer
    • Command 4: Use cert.pfx to generate intermediate certificate file chain.cer, merge cert.cer, blank line, chain.cer to get fullchain.cer
      openssl pkcs12 -in cert.pfx -cacerts -nokeys -chain | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > chain.cer
      echo '\n' > emptyline.cer
      cat cert.cer emptyline.cer chain.cer> fullchain.cer

  • JKS ===> PFX

    • Tool: keytool
    • Command: Use cert.jks to generate cert.pfx
      keytool -importkeystore -srckeystore cert.jks -destkeystore cert.pfx -srcstoretype JKS -deststoretype PKCS12

In addition to the above methods, you can also use online tools for certificate format conversion. Click Certificate Format Conversion Tool for online format conversion.

1
CertOne
Automated SSL for every domain
Get Free SSL Certificate
TRUSTED AUTOMATED CERT MANAGEMENT
Issue, renew, and deploy SSL in one click.
Zero-touch certificate lifecycle across all your clouds, CDNs, and clusters.
LetsEncrypt · Sectigo
Auto deploy to Nginx · CDN · Kubernetes · Docker · Synology