Generate CRT & KEY ssl files from Let's Encrypt from scratch

ssl ssl-certificate lets-encrypt
39,837

I'm the author of Greenlock, a certbot-compatible Let's Encrypt v2 client, so I've had to learn the ins and outs of all these things as well.

Hopefully this helps:

KEY

privkey.pem is the "key" file

Sometimes it is improperly named as cert.key or example.com.key.

CRT

fullchain.pem is your "crt" file.

Sometimes it is improperly named as example.com.crt.

CRT/KEY Bundle

bundle.pem would be made like so: cat fullchain.pem privkey.pem > bundle.pem

HAProxy is the only server that I know of that uses bundle.pem.

cert.pem

cert.pem contains ONLY your certificate, which can only be used by itself if the browser already has the certificate which signed it, which may work in testing (which makes it seem like it may be the right file), but will actually fail for many of your users in production with a security error of untrusted certificate.

However, you don't generally use the cert.pem by itself. It's almost always coupled with chain.pem as fullchain.pem.

chain.pem

chain.pem is the intermediary signed authority, signed by the root authority - which is what all browsers are guaranteed to have in their pre-built cache.

Checking certs

You can inspect the cert only like so:

openssl x509 -in cert.pem -text -noout

There's a list of useful commands here:

https://www.sslshopper.com/article-most-common-openssl-commands.html

Share:
39,837
Sylvain
Author by

Sylvain

Updated on July 09, 2022

Comments

  • Sylvain
    Sylvain almost 2 years

    I'd like to generate a CRT/KEY couple SSL files with Let's Encrypt (with manual challenge).

    I'm trying something like this :

    certbot certonly --manual -d mydomain.com

    But I only get these files in my /etc/letsencrypt/live/mydomain.com folder :

    • cert.pem
    • chain.pem
    • fullchain.pem
    • privkey.pem

    Did I missed something?

  • jave.web
    jave.web almost 5 years
    This mozilla.github.io/server-side-tls/ssl-config-generator directive example helped me setup my stuff, also in ISPConfig SSL config you may add chain.pem into "SSL Bundle" field
  • Glenn Mohammad
    Glenn Mohammad almost 4 years
    @CoolAJ86 Thank you for this incredible answer. But why did you say *.key and *.crt files are improperly named? 🤔
  • coolaj86
    coolaj86 almost 4 years
    @GlennMohammad to be honest, I'm just taking a stand and being over zealous to counter-balance a world-gone-wild with things named without rhyme or reason. However, my technical reasoning would be that PEM is a well-defined RFC format, whereas .key and .crt are ambiguous (could be DER or PEM). I would accept .pem.crt and .pem.key or .cert.pem and .key.pem though (or likewise the der variations).
  • Glenn Mohammad
    Glenn Mohammad almost 4 years
    @CoolAJ86 Hahahah, okay then. Your rather zebellious and technical reasoning are actually both making sense to me! 🧞 So thanks again.
  • Fernando León
    Fernando León almost 3 years
    I need convert this .pem files to .crt files. How I do this?
  • coolaj86
    coolaj86 almost 3 years
    @FernandoLeón It depends. Much of the time the .crt is already in PEM format. You could just rename it to .pem. If your .crt is not in PEM format then it may be in DER format, in which case you need to google how to convert from DER to PEM.
  • Oleg Gritsak
    Oleg Gritsak about 2 years
    fullchain.pem + privkey.pem had also suited Keycloak X . Huge thanks for ideas!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Certbot - Could not find a suitable TLS CA certificate bundle [Archlinux]
apache2 won't start after ssl configuration
Error installing LetsEncrypt SSL: (http-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain
How to fix issues with LetsEncrypt certificate chains on Windows Server?
Verify return code: 21 (unable to verify the first certificate) Lets encrypt Apache to Nginx with crontab issue
Let's Encrypt -- "DNS ... query timed out looking up CAA for ..."
Let's Encrypt SSL Certificate File Not Found Error, but still working
Letsencrypt add domain to existing certificate
Change base domain name for Lets Encrypt SSL certificate
Flutter on Android 7 CERTIFICATE_VERIFY_FAILED with LetsEncrypt SSL cert after Sept 30, 2021