Contents of privkey.pem, cert.pem, chain.pem, and fullchain.pem

2,814 views
Skip to first unread message

cool...@gmail.com

unread,
Jul 13, 2015, 4:41:37 PM7/13/15
to clien...@letsencrypt.org
Currently:

privkey.pem contains only the private key, this is expected
cert.pem contains ONLY the server certificate
chain.pem contains ONLY the ROOT certificate
fullchain.pem contains ONLY SERVER and ROOT.

When the certificates arrive and the service goes live in sept what will these files contain?

Will cert.pem still contain ONLY the server cert? Or will it also bundle the INTERMEDIATES?
Or will it be chain.pem that contains the INTERMEDIATES?


Considerations:
node.js and golang MUST have a server.pem that contains the SERVER + INTERMEDIATES. They won't complain if the root is there, it's just superfluous.
haproxy MUST NOT have the root in the chain or it throws an error

It's very easy to play with cat to get the right combination, but it would be best if the files sort out such that we can write docs for every type of webserver and simply say "for webserver x use foo for key and bar for chain" or "for webserver y use just baz".


Preferred:
cert.pem - cert
chain.pem - intermediates
server.pem - cert + intermediates
root.pem - root
fullchain.pem cert + intermediates + root

Peter Eckersley

unread,
Jul 13, 2015, 6:40:00 PM7/13/15
to cool...@gmail.com, clien...@letsencrypt.org, Seth David Schoen
Great question!

At the moment we don't have any intermediate chains deployed on our test systems.  When those exist (for launch) they will be present in chain.pem and fullchain.pem, and should take the place of the root that's currently in those files.  At that stage, if you want to get a copy of the Let's Encrypt root, that would be an out of band operation (or could be a separate command line flag).



--
You received this message because you are subscribed to the Google Groups "Let's Encrypt Client Development" group.
To unsubscribe from this group and stop receiving emails from it, send an email to client-dev+...@letsencrypt.org.
To post to this group, send email to clien...@letsencrypt.org.
To view this discussion on the web visit https://groups.google.com/a/letsencrypt.org/d/msgid/client-dev/7798833d-52fc-4fcd-8d8e-422b079ff9e5%40letsencrypt.org.



--
Peter

AJ ONeal (Home)

unread,
Jul 13, 2015, 7:49:27 PM7/13/15
to Peter Eckersley, clien...@letsencrypt.org, Seth David Schoen
Thanks for the answer.

I've made an issue about the lacking documentation here:

And a request to include a root.pem here:

And I've updated my article:

And my testing certificates:

And my demo utility in node.js:

And still working on my demo utility in golang:

Alan Helmick

unread,
Mar 5, 2018, 3:09:35 PM3/5/18
to Let's Encrypt Client Development, cool...@gmail.com

This directory contains your keys and certificates.

`privkey.pem` : the private key for your certificate.
`fullchain.pem`: the certificate file used in most server software.
`chain.pem` : used for OCSP stapling in Nginx >=1.3.7.
`cert.pem` : will break many server configurations, and should not be used without reading further documentation (see link below).

We recommend not moving these files. For more information, see the Certbot
User Guide at https://certbot.eff.org/docs/using.html#where-are-my-certificates.
bitnami@3Mandates:/etc/letsencrypt/live/www.findlife.today$ This directory contains your keys and certificates.
`cert.pem` : will break many server configurations, and should not be used without reading further documentation (see link below).

Reply all
Reply to author
Forward
0 new messages