Certificate formats

The most commonly two formats are PEM and PKCS12 today. But there are other binary and text based formats used in the corporate world. The most recommended format is the text based PEM.


PEM format is the most common best to handle format. It’s a text format, which is basically a base64 encoded format with a header and footer. It’s very easy to transport and can be even pasted.

Most modern software supports PEM. The format is the standard format used in Domino CertMgr. All certificates are stored natively in PEM. Only the internal key is stored encrypted in Domino internal format. The exportable key is also stored in encrypted PEM format to allow standard based export flows without using any specific API.

A PEM file can contain private/public keys, leaf certificates, intermediate certificates and root certificates.

Example PEM file

A PEM file always has exactly the shown begin and end markers and is usually printed with new lines. It is very important to keep those begin and end markers unmodified!



PKCS12 is often referenced as .pfx in the Microsoft world. The official standard extension is .p12 It is a binary format, which can contain multiple certificates and keys with lables (friendly name). The format is a bit harder to deal with, but can be imported and exported into and from certstore.nsf

Other formats


DER is a binary encoded format, which is basically PEM but binary encoded.


PKCS7 is a text based format for holding certificate chains encoded into a single Base64 stream. The format is less commonly used, but good to know about.

Encryption standard used by Domino CertMgr

The PEM and PKCS12 format both support encryption.
The standard encryption algorithm is AES-256-CBC with PBKDF2 for key derivation today.
Standard used is the modern standard also used by OpenSSL 3.0.x.

Note: Older versions of OpenSSL can read the the newer standard, but will generate less secure encrypted files by default.

For Notes Client based export operations there is a legacy option in Notes 12.0.1 and higher to create a PKCS12 or PEM file. The client will then use a lower encryption standard (often needed for Java and other applications).

But you can also easily convert those file using OpenSSL command as shown below and avoid the notes.ini which would create all your files in the legacy format. The lower security should be only used if really needed. And the better option should be to convert to a legacy format only when needed.


OpenSSL 3.0 command line also supports a -legacy switch to fall back to older encryption standards. In case an import isn’t working in OpenSSL 3.x or if you need to export with encryption, you might need the -legacy switch.

See the OpenSSL PKCS12 documentation for details.

Convert between formats

OpenSSL is the standard command-line tool to convert between formats.

Only Java KeyStores require the Java keytool. All other formats are handled by a OpenSSL command line.

Note: Java supports the PKCS12 format meanwhile and you should consider switching to PKCS12 instead where possible.


Converts PKCS#12 file (.pfx .p12) into Certs and Keys

openssl pkcs12 -in cert.pfx -out cert.pem -nodes

DER binary to PEM

Converts binary DER cert file into PEM format

openssl x509 -inform der -in server.cer -outform pem -out server.pem

PKCS7 DER binary encoded cert chain into PEM

Converts binary DER encoded cert chain into PEM format

openssl pkcs7 -print_certs -inform der -in certificate_chain.p7b -outform pem -out chain.pem

PKCS7 PEM encoded cert chain into standard PEM

Converts PEM encoded cert chain into PEM format

openssl pkcs7 -print_certs -inform pem -in certificate_chain.pem -outform pem -out chain.pem


Converts PEM Format into PKCS12

openssl pkcs12 -export -out server.p12 -in cert.pem -inkey key.pem -passin pass:mypassword -passout pass:mypassword

Same conversion just for certificates without keys

openssl pkcs12 -export -nokeys -in cert.pem -out server.p12