Generate CRT & KEY ssl files from Let's Encrypt from scratch
I'm the author of Greenlock, a certbot-compatible Let's Encrypt v2 client, so I've had to learn the ins and outs of all these things as well.
Hopefully this helps:
KEY
privkey.pem
is the "key" file
Sometimes it is improperly named as cert.key
or example.com.key
.
CRT
fullchain.pem
is your "crt" file.
Sometimes it is improperly named as example.com.crt
.
CRT/KEY Bundle
bundle.pem
would be made like so: cat fullchain.pem privkey.pem > bundle.pem
HAProxy is the only server that I know of that uses bundle.pem
.
cert.pem
cert.pem
contains ONLY your certificate, which can only be used by itself if the browser already has the certificate which signed it, which may work in testing (which makes it seem like it may be the right file), but will actually fail for many of your users in production with a security error of untrusted certificate.
However, you don't generally use the cert.pem by itself. It's almost always coupled with chain.pem as fullchain.pem.
chain.pem
chain.pem
is the intermediary signed authority, signed by the root authority - which is what all browsers are guaranteed to have in their pre-built cache.
Checking certs
You can inspect the cert only like so:
openssl x509 -in cert.pem -text -noout
There's a list of useful commands here:
https://www.sslshopper.com/article-most-common-openssl-commands.html
Sylvain
Updated on July 09, 2022Comments
-
Sylvain almost 2 years
I'd like to generate a CRT/KEY couple SSL files with Let's Encrypt (with manual challenge).
I'm trying something like this :
certbot certonly --manual -d mydomain.com
But I only get these files in my
/etc/letsencrypt/live/mydomain.com folder
:- cert.pem
- chain.pem
- fullchain.pem
- privkey.pem
Did I missed something?
-
jave.web almost 5 yearsThis mozilla.github.io/server-side-tls/ssl-config-generator directive example helped me setup my stuff, also in ISPConfig SSL config you may add chain.pem into "SSL Bundle" field
-
Glenn Mohammad almost 4 years@CoolAJ86 Thank you for this incredible answer. But why did you say
*.key
and*.crt
files are improperly named? 🤔 -
coolaj86 almost 4 years@GlennMohammad to be honest, I'm just taking a stand and being over zealous to counter-balance a world-gone-wild with things named without rhyme or reason. However, my technical reasoning would be that PEM is a well-defined RFC format, whereas .key and .crt are ambiguous (could be DER or PEM). I would accept .pem.crt and .pem.key or .cert.pem and .key.pem though (or likewise the der variations).
-
Glenn Mohammad almost 4 years@CoolAJ86 Hahahah, okay then. Your rather zebellious and technical reasoning are actually both making sense to me! 🧞 So thanks again.
-
Fernando León almost 3 yearsI need convert this .pem files to .crt files. How I do this?
-
coolaj86 almost 3 years@FernandoLeón It depends. Much of the time the .crt is already in PEM format. You could just rename it to .pem. If your .crt is not in PEM format then it may be in DER format, in which case you need to google how to convert from DER to PEM.
-
Oleg Gritsak about 2 yearsfullchain.pem + privkey.pem had also suited Keycloak X . Huge thanks for ideas!