Certificate file types
Certificates and keys are stored in several types of files.
Files that store certificates and keys can have the following formats:
.pem
- A privacy-enhanced mail file with a file extension of
.pem
. It begins and ends with the following lines:-----BEGIN CERTIFICATE----- -----END CERTIFICATE-----
A privacy-enhanced mail format supports multiple digital certificates, including a certificate chain. If your organization uses certificate chaining, use this format to create CA certificates.
.arm
- A file with an extension of
.arm
contains a base-64 encoded ASCII representation of a certificate. It includes its public key but not its private key. The IBM® Key Management utility generates and uses an.arm
format. Specify this format to extract a self-signed certificate from the computer on which it was generated to the computer that uses it as the CA certificate. .der
- A file with an extension of
.der
contains binary data. This format can be used only for a single certificate, unlike a file with a privacy-enhanced mail format, which can contain multiple certificates. Specify this format to extract a self-signed certificate from the computer on which it was generated to the computer that uses it as the CA certificate. .pfx (PKCS12)
- A
PKCS12
file has an extension of.pfx.
It contains a certificate (CA-issued certificate or self-signed certificate) and a corresponding private key. Use this format to transfer the contents of a keystore to a separate computer. For example, you can create and install a certificate and private key with the key management utility. You can then export them to aPKCS12
file and import the file into another keystore. This format is also useful for converting from one type of SSL implementation to a different implementation. For example, you can create and export aPKCS12
file with the IBM Key Management utility and then import the file on another computer with the OpenSSL CertTool utility.