59

I'd like to generate a CRT/KEY couple SSL files with Let's Encrypt (with manual challenge).

I'm trying something like this :

certbot certonly --manual -d mydomain.com

But I only get these files in my /etc/letsencrypt/live/mydomain.com folder :

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

Did I missed something?

Sylvain
  • 2,742
  • 5
  • 21
  • 34
  • 1
    That is because those are the files needed to serve up SSL content, etc. If you look under `/etc/letsencrypt/csr` you'll see your actual CSRs. What you may be trying to do - add your name, city, address, etc. to the cert - I don't think LE supports, simply because they have tried to automate their process and it is a free service... – ivanivan May 17 '18 at 11:09
  • @ivanivan Let's Encrypt certificates are DV, not OV and even less EV. So there is no personal data in them, just technical endpoints (hostnames). – Patrick Mevzek May 17 '18 at 14:32
  • @PatrickMevzek - thanks. I just know that when I do a normal CSR to get a SSL cert from a CA (I've only used StartSSL, the original free option) there were the questions to answer about city, company (Snake Oil Inc iirc was default), etc. – ivanivan May 17 '18 at 15:53
  • @ivanivan yes you have these questions when you generate an OV. A DV just needs the name(s) and a validation of them (through DNS or HTTP) – Patrick Mevzek May 17 '18 at 15:55

1 Answers1

117

I'm the author of Greenlock, a certbot-compatible Let's Encrypt v2 client, so I've had to learn the ins and outs of all these things as well.

Hopefully this helps:

KEY

privkey.pem is the "key" file

Sometimes it is improperly named as cert.key or example.com.key.

CRT

fullchain.pem is your "crt" file.

Sometimes it is improperly named as example.com.crt.

CRT/KEY Bundle

bundle.pem would be made like so: cat fullchain.pem privkey.pem > bundle.pem

HAProxy is the only server that I know of that uses bundle.pem.

cert.pem

cert.pem contains ONLY your certificate, which can only be used by itself if the browser already has the certificate which signed it, which may work in testing (which makes it seem like it may be the right file), but will actually fail for many of your users in production with a security error of untrusted certificate.

However, you don't generally use the cert.pem by itself. It's almost always coupled with chain.pem as fullchain.pem.

chain.pem

chain.pem is the intermediary signed authority, signed by the root authority - which is what all browsers are guaranteed to have in their pre-built cache.

Checking certs

You can inspect the cert only like so:

openssl x509 -in cert.pem -text -noout

There's a list of useful commands here:

https://www.sslshopper.com/article-most-common-openssl-commands.html

coolaj86
  • 74,004
  • 20
  • 105
  • 125
  • This https://mozilla.github.io/server-side-tls/ssl-config-generator/ directive example helped me setup my stuff, also in ISPConfig SSL config you may add chain.pem into "SSL Bundle" field – jave.web May 22 '19 at 14:26
  • @CoolAJ86 Thank you for this incredible answer. But why did you say `*.key` and `*.crt` files are _improperly_ named? – Glenn Mohammad Jun 28 '20 at 15:23
  • 2
    @GlennMohammad to be honest, I'm just taking a stand and being over zealous to counter-balance a world-gone-wild with things named without rhyme or reason. However, my technical reasoning would be that PEM is a well-defined RFC format, whereas .key and .crt are ambiguous (could be DER or PEM). I would accept .pem.crt and .pem.key or .cert.pem and .key.pem though (or likewise the der variations). – coolaj86 Jun 29 '20 at 16:48
  • 1
    @CoolAJ86 Hahahah, okay then. Your rather zebellious and technical reasoning are actually both making sense to me! So thanks again. – Glenn Mohammad Jun 30 '20 at 21:29
  • I need convert this .pem files to .crt files. How I do this? – Fernando León May 21 '21 at 19:58
  • 1
    @FernandoLeón It depends. Much of the time the .crt is already in PEM format. You could just rename it to .pem. If your .crt is not in PEM format then it may be in DER format, in which case you need to google how to convert from DER to PEM. – coolaj86 May 24 '21 at 17:08
  • fullchain.pem + privkey.pem had also suited Keycloak X . Huge thanks for ideas! – Oleg Gritsak Apr 18 '22 at 17:11