Certificate file types

Certificates and keys are stored in several types of files.

Files that store certificates and keys can have the following formats:
.pem
A privacy-enhanced mail file with a file extension of .pem. It begins and ends with the following lines:
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----

A privacy-enhanced mail format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates.

.arm
A file with an extension of .arm contains a base-64 encoded ASCII representation of a certificate. It includes its public key but not its private key. The IBM® Key Management utility generates and uses an .arm format. Specify this format to extract a self-signed certificate from the computer on which it was generated to the computer that uses it as the CA certificate.
.der
A file with an extension of .der contains binary data. This format can be used only for a single certificate, unlike a file with a privacy-enhanced mail format, which can contain multiple certificates. Specify this format to extract a self-signed certificate from the computer on which it was generated to the computer that uses it as the CA certificate.
.pfx (PKCS12)
A PKCS12 file has an extension of .pfx. It contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate computer. For example, you can create and install a certificate and private key with the key management utility. You can then export them to a PKCS12 file and import the file into another keystore. This format is also useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export a PKCS12 file with the IBM Key Management utility and then import the file on another computer with the OpenSSL CertTool utility.