As of today, Certbot creates the following four files per certificate
cert.pem
chain.pem
fullchain.pem
privkey.pem
For certain application (e.g. Postfix) a single file which contains everything, i.e. private key, own certificate, chain, in that order would be beneficial. For example, Postfix picks up a new certificate (or private key for that matter) without reloading the daemon. However, it is necessary that the information is updated in an atomic manner. If the file private key and the certificates are stored in individual files, it might happen that Postfix reads a private key and certificate which do not match (of course depending on circumstances and timing).
See Postfix Configuration Parameters – smtpd_tls_chain_files
:
Storing the private key in the same file as the corresponding certificate is more reliable. With the key and certificate in separate files, there is a chance that during key rollover a Postfix process might load a private key and certificate from separate files that don't match.
It would be nice, if certbot
could also create a fifth file which provides everything.