Below is a reference of some formats for storing cryptographic keys and certificates that might be found in the wild, including some keystore formats and commands to do some typical operations with them.

PEM format

These are plain text files with the content of the certificate and keys encoded in base64. This makes them easy to read and can contain both the certificate and private key in a single file, often protected by a passphrase.

-----BEGIN PRIVATE KEY-----
MIIEuwIBADANBgkqhkiG9w0BAQEFAASCBKUwggShAgEAAoIBAQCOkJ1TTb5J4OUh
....
....
on+gu+yw4RnqNe3WFKFkdUKAKaCcXONfJOMhiPwKzOSijSbmEGMnxH+ML85IxALY
-----END PRIVATE KEY-----

In the case of a certificate, it would be a similar case, though it would indicare CERTIFICATE instead of PRIVATE KEY.

It's possible to extract the certificates from an https website using openssl in this way:

echo | openssl s_client -showcerts -connect ferklog.gitlab.com:443 | sed -ne '/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p' > ferklog.crt.pem

DER (Distinguished Encoding Rules) format

DER is a binary format that is commonly used for certificates. It's a strict subset of the Abstract Syntax Notation One (ASN.1) encoding rules. DER-encoded certificates are compact and efficient for storage and transmission.

• Converting from PEM to DER

# For certificates
openssl x509 -outform DER -in certificate.pem -out certificate.der
# For private keys
openssl rsa -outform DER -in privatekey.pem -out privatekey.der

• Converting from DER to PEM

# For certificates
openssl x509 -inform DER -in certificate.der -out certificate.pem
# For private keys
openssl rsa -inform DER -in privatekey.der -out privatekey.pem

Keystore formats

A keystore is a single file containing multiple keys & certificates that might be stored together with some metadata, such as aliases, or additional security layers, such as another password for the entire keystore (in addition to the password for storing the key).

PKCS#12 (.p12) keystore format

• To Transform a PEM file into a PKCS12 file:

openssl pkcs12 -export -out keystore.p12 -inkey myprivkey.pem -in mycert.pem -name "FriendlyNameOfMyCertificate"

• To Transform a PKCS12 file into a PEM file:

openssl pkcs12 -in keystore.p12 -out mypemfile.pem

• Analyze the contents of a PKCS12 file:

openssl pkcs12 -nokeys -info -in keystore.p12 -passin pass:PfxKeystorePassword

PFX (.pfx) keystore format

The PFX format is very similar to .p12, and in fact in many cases it's considered equivalent, and most tools would be able to operate with them interchangeably. You can use openssl pkcs12 commands in the same way as with PKCS#12 files when operating with PFX as input, even if both formats might not be exactly identical.

The reason for the existance of these slightly differing formats is historical, since PFX was created by Microsoft while P12 was made by Netscape.

JKS, Java Keystore

Java has popularized another format for storing cryptographic keys and certificates, that is linked to the implementation of the java.security.KeyStore class from the java API. So java systems might often make use of files in a "JKS" format.

JDKs often include a tool for working with JKS files, the keytool java utility. Note that recent versions of this tool might recommend against using JKS and might warn: "The JKS keystore uses a proprietary format. It is recommended to migrate to PKCS12 which is an industry standard"

• Convert all contents of a keystore from PKCS12/PFX to JKS

keytool -import -file keystore.p12 -pkcs12 -keystore theJKSKeystore.jks -storepass passwordOfTheJKSKeystore -storetype jks

• Convert all contents of a keystore from JKS to PKS12

keytool -importkeystore -srckeystore theJKSKeystore.jks -srcstorepass passwordOfTheJKSKeystore -srcstoretype jks -deststoretype pkcs12 -destkeypass passwordOfTheP12Keystore -destkeystore thePKS12Keystore.p12

• Add a PEM certificate to be trusted in a JKS keystore

keytool -importcert -file mycert.pem -keystore theJKSKeystore.jks -alias "MyCertAlias" -storepass passwordOfTheJKSKeystore

keytool -import -trustcacerts -alias root -file ca_geotrust_global.pem -keystore yourkeystore.jks

• Add a PEM private key to a JKS keystore

# keytool does not offer a way to directly import a private key
# Instead, you need to first import the key into a PKS12 and then conver that to JKS
openssl pkcs12 -export -inkey private.key -in all.pem -name test -out test.p12
keytool -importkeystore -srckeystore test.p12 -srcstoretype pkcs12 -destkeystore test.jks

• Analyze the contents of a JKS keystore (also works with PKCS12/PFX)

keytool -v -list -keystore keystore.jks -storepass passwordOfTheJKSKeystore