# Differences in certificate formats

## Choosing based on web service software

**Tomcat**, **Weblogic**, **JBoss**, and other similar services use the password library provided by Java. The Java Keytool tool is used to generate the Java Keystore (JKS) certificate file format.

**Apache**, **Nginx** and others use the OpenSSL password library to generate certificate file formats such as PEM, KEY, CRT.

In addition, IBM products, such as **WebSphere**, **IBM HTTP
Server (IHS)**, etc., use the iKeyman tool included with IBM products to generate KDB format certificate files.

**Internet Information Services (IIS)** in Microsoft Windows Server uses the built-in Windows certificate library to generate PFX format certificate files.

## Choosing based on the certificate extension

**DER, CER**: These certificate files are in binary format and only contain the certificate information, they don't include the private key. Normally they are used to store the public key only.

**CRT**: This can be in binary format or text format, it's suitable for use with Apache, Nginix, etc.

**PEM**: This is generally a text format that can contain the certificate, private key, or both. If a \*.PEM file only contains a private key, it is generally replaced with a \*.KEY extension. This format is suitable for Apache, Nginx, etc.

**PFX, P12**: These are binary formats that contain both the certificate and the private key, they are usually password protected. They are suitable for Microsoft's IIS.

**JKS**: Suitable for use with Tomcat, weblogic, JBoss, etc.