Generate CRT & KEY ssl files from Let's Encrypt from scratch

Sylvain picture Sylvain · May 17, 2018 · Viewed 25.5k times · Source

I'd like to generate a CRT/KEY couple SSL files with Let's Encrypt (with manual challenge).

I'm trying something like this :

certbot certonly --manual -d mydomain.com

But I only get these files in my /etc/letsencrypt/live/mydomain.com folder :

  • cert.pem
  • chain.pem
  • fullchain.pem
  • privkey.pem

Did I missed something?

Answer

coolaj86 picture coolaj86 · May 18, 2018

I'm the author of Greenlock, a certbot-compatible Let's Encrypt v2 client, so I've had to learn the ins and outs of all these things as well.

Hopefully this helps:

KEY

privkey.pem is the "key" file

Sometimes it is improperly named as cert.key or example.com.key.

CRT

fullchain.pem is your "crt" file.

Sometimes it is improperly named as example.com.crt.

CRT/KEY Bundle

bundle.pem would be made like so: cat fullchain.pem privkey.pem > bundle.pem

HAProxy is the only server that I know of that uses bundle.pem.

cert.pem

cert.pem contains ONLY your certificate, which can only be used by itself if the browser already has the certificate which signed it, which may work in testing (which makes it seem like it may be the right file), but will actually fail for many of your users in production with a security error of untrusted certificate.

However, you don't generally use the cert.pem by itself. It's almost always coupled with chain.pem as fullchain.pem.

chain.pem

chain.pem is the intermediary signed authority, signed by the root authority - which is what all browsers are guaranteed to have in their pre-built cache.

Checking certs

You can inspect the cert only like so:

openssl x509 -in cert.pem -text -noout

There's a list of useful commands here:

https://www.sslshopper.com/article-most-common-openssl-commands.html