Difference between .pem and .crt and how to use them

The operating system my web server runs on is (include version):
ubuntu 20.04

I can login to a root shell on my machine (yes or no, or I don't know):
Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel):
HestiaCP

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot):
1.27

Hi,
I need to be able to create a .cre file from the .pem.

I noticed that in /etc/letsencrypt/archive/my-domain/
the fullchain1.pem has 3 certificate blocks

Like this ( I have taken some lines out for brevity )

-----BEGIN CERTIFICATE-----
MIIFJjCCBA6gAwIBAgISBLV5s/k7KmTYDsjJzS9xqRihMA0GCSqGSIb3DQEBCwUA
FjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAdBgNVHQ4EFgQU
RwAAAYE/mA8IAAAEAwBHMEUCICSTTYk15OJhlSafBUcXqMU2GWjUofROKnzdX/E8
qOIqAiEAmpf3LG/xeEKjNyZ3xcN94VoAFlS/I1+eMnTaVTJHd/UwDQYJKoZIhvcN
AQELBQADggEBADHqSw8QPlFZgh5+DB7UJggUTQOgaoEVZsh7dyEfPuNrmTRR8MpA
+Wi3b0dxXw3oCiewqOASpHW+OxuqjlDz1ofjKQ/WEsOMxEHhM570B12xYxLdu701
AKes8yqSepJzspPxx3Q+ThdIYk2wVTkYOXhKBmhYdyKIA7uQPT/W8NgUA4BhQ8/X
lbdIXqMlgIXLBUpx1BY+AP1tbh4FoxEUezvUD/ChNwzaF1IjTGa7jb8WVaDY40uA
SfQ2Lqi0MxtDhTD5UJvlVaS3+/3UC7Aueo+czIFj7I8gWULS4yvoRyRs2+pFkXeH
URpzVsoJGL/VcEZz13eaQPPhJ87Yyw6haPk=
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIFFjCCAv6gAwIBAgIRAJErCErPDBinU/bWLiWnX1owDQYJKoZIhvcNAQELBQAw
TzELMAkGA1UEBhMCVVMxKTAnBgNVBAoTIEludGVybmV0IFNlY3VyaXR5IFJlc2Vh
cmNoIEdyb3VwMRUwEwYDVQQDEwxJU1JHIFJvb3QgWDEwHhcNMjAwOTA0MDAwMDAw
WhcNMjUwOTE1MTYwMDAwWjAyMQswCQYDVQQGEwJVUzEWMBQGA1UEChMNTGV0J3Mg
RW5jcnlwdDELMAkGA1UEAxMCUjMwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
AoIBAQC7AhUozPaglNMPEuyNVZLD+ILxmaZ6QoinXSaqtSu5xUyxr45r+XXIo9cP
R5QUVTVXjJ6oojkZ9YI8QqlObvU7wy7bjcCwXPNZOOftz2nwWgsbvsCUJCWH+jdx
sxPnHKzhm+/b5DtFUkWWqcFTzjTIUu61ru2P3mBw4qVUq7ZtDpelQDRrK9O8Zutm
nLRbwHOoq7hHwg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
bHbvO5BieebbpJovJsXQEOEO3tkQjhb7t/eo98flAgeYjzYIlefiN5YNNnWe+w5y
sR2bvAP5SQXYgd0FtCrWQemsAXaVCg/Y39W9Eh81LygXbNKYwagJZHduRze6zqxZ
Xmidf3LWicUGQSk+WT7dJvUkyRGnWqNMQB9GoZm1pzpRboY7nn1ypxIFeFntPlF4
FQsDj43QLwWyPntKHEtzBRL8xurgUBN8Q5N0s8p0544fAQjQMNRbcTa0B7rBMDBc
SLeCO5imfWCKoqMpgsy6vYMEG6KDA0Gh1gXxG8K28Kh8hjtGqEgqiNx2mna/H2ql
PRmP6zjzZN7IKw0KKP/32+IVQtQi0Cdd4Xn+GOdwiK1O5tmLOsbdJ1Fu/7xk9TND
TwIDAQABo4IBRjCCAUIwDwYDVR0TAQH/BAUwAwEB/zAOBgNVHQ8BAf8EBAMCAQYw
SwYIKwYBBQUHAQEEPzA9MDsGCCsGAQUFBzAChi9odHRwOi8vYXBwcy5pZGVudHJ1
c3QuY29tL3Jvb3RzL2RzdHJvb3RjYXgzLnA3YzAfBgNVHSMEGDAWgBTEp7Gkeyxx
+tvhS5B1/8QVYIWJEDBUBgNVHSAETTBLMAgGBmeBDAECATA/BgsrBgEEAYLfEwEB
ATAwMC4GCCsGAQUFBwIBFiJodHRwOi8vY3BzLnJvb3QteDEubGV0c2VuY3J5cHQu
he8Y4IWS6wY7bCkjCWDcRQJMEhg76fsO3txE+FiYruq9RUWhiF1myv4Q6W+CyBFC
Dfvp7OOGAN6dEOM4+qR9sdjoSYKEBpsr6GtPAQw4dy753ec5
-----END CERTIFICATE-----

The openssl is supposed to convert to a .crt file

When I run this:
openssl x509 -outform der -in fullchain1.pem -out new.crt

root@expressresponse:/etc/letsencrypt/archive/gldn.page# cat new.crt

0▒&0▒▒▒y▒H▒▒▒▒▒▒/q▒▒0
021
0 UUS10U
Let's Encrypt1
▒0▒90518
▒H▒▒010UR30 gldn.page0▒"0
▒▒ž▒▒▒Yi▒'m▒▒Se▒▒▒u▒▒]▒▒▒▒"OۀNDz▒▒(;~▒▒=▒▒'+^▒\▒!▒<▒▒lsk>▒H▒▒▒▒▒[9▒▒=▒wXR▒▒wƷ@l5▒S^▒▒cs▒▒▒▒▒ͯ>▒▒▒▒h"▒ d▒▒#▒▒6SD-▒m▒▒▒▒▒A▒▒LAk#▒A▒ң▒▒V8▒]FhQqiޡ▒Zr>c▒▒▒▒▒▒$▒7ʋ|▒ :4U▒;▒▒/H=8▒▒c▒U
▒▒F▒▒▒Gx▒▒▒▒R0▒N0U▒▒0U%+0
U▒00U▒▒(▒▒!Ӵ0M
(▒▒'▒▒MK0U#0▒.▒▒XVˮP @▒▒▒▒▒▒0+I0G0+0▒http://r3.o.lencr.org0+0▒http://r3.i.lencr.org/0!U0▒
.gldn.page▒ gldn.page0LU E0Cg▒
07
+▒▒0(0+http://cps.letsencrypt.org0▒
+▒y▒▒▒▒▒wߥ^▒h▒Ol▒▒_N>Z▒͢▒j^▒;▒ D*s▒?▒▒H0F!▒▒▒▒<▒▒▒▒L▒▒
W▒K%fp▒▒%(▒!▒s_▒|End▒Թ▒հ▒P▒
▒H▒▒ &▒y3p▒▒vF▒U▒u▒ 0▒▒▒i▒▒},At▒▒I▒▒▒▒▒p▒mG▒?G0E $▒M▒5▒▒a▒&▒G▒▒6hԡ▒N|▒_▒<▒▒
!▒▒▒,o▒xB▒7&w▒▒}▒ZT▒#▒2t▒U2Gw▒0
▒1▒K>QY▒~
▒M▒j▒f▒{w!>▒k▒4Q▒▒@▒h▒oGq

'▒▒▒▒u▒;▒P▒և▒)▒Ì▒A▒3▒▒]▒cݻ▒5▒▒▒*▒z▒s▒▒▒▒t>NHbM▒U99xJhXw"▒▒▒=?▒▒▒▒aC▒ו▒H^▒%▒▒▒Jq▒>▒mn▒{;▒▒7
▒R#Lf▒▒▒U▒▒▒K▒I▒6.▒▒3▒0▒P▒▒U▒▒▒▒▒
▒.z▒▒́c▒ YB▒▒+▒G$l▒▒E▒w▒QsV▒ ▒▒pFs▒w▒@▒▒'▒▒▒▒h▒root@expressresponse:/etc/letsencrypt/archive/gldn.page# PuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTYPuTTY

Is the output supposed to look like this?

If the .crt file is just one of those certificates, can I just cut it out with vim ?

Also would be nice to know what those 3 certificates are for?
Is one the public key? Which one?

Thanks

A .crt file is often the same as a .pem file, it's just called .crt so you know what's in the file. Same with .key. There are other encoding's like der (which you are trying to convert the pem encoded file to here), but you probably don't need that unless the service you are configuring explicitly requires it.

The PEM encoded files produced by certbot include:

  • cert.pem - just your pem encoded cert, also the public key
  • chain.pem - the other intermediate certs that make up the certificate chain (not including the root)
  • fullchain.pem - your cert, plus the intermediates, this is often the file you need
  • privkey.pem - your private key

You can convert or combine these files in different ways depending on how you want to use them, so the question is what type of service are you trying to use the cert for?

5 Likes

Thanks for the info.

I am trying to get the SL certs I have for wildcards
i.e gldn.page, *.gldn.page to work properly on HestiaCP

( HestiaCP doesn't handle wildcard SL certs )

I changed the template it uses to point at the SL certs I have already created.

SSLVerifyClient none
    ssl_certificate /etc/letsencrypt/live/%domain%/fullchain.pem; # ma>
    ssl_certificate_key /etc/letsencrypt/live/%domain%/privkey.pem; # >
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Which looked fine,
but when the domain didn't resolve ssl, I was told I needed to run this:

v-add-web-domain-ssl dave gldn.page /etc/letsencrypt/live/gldn.page

But I get this:
Error: /etc/letsencrypt/live/gldn.page/gldn.page.crt not found

Then I was told "Hestia converts .pem into .crt files"
and was shown a bit of code:

492. # Splitting up downloaded pem
493. crt_end=$(grep -n 'END CERTIFICATE' $ssl_dir/$domain.pem |head -n1 |cut -f1 -d:)
494. head -n $crt_end $ssl_dir/$domain.pem > $ssl_dir/$domain.crt
* pem_lines=$(wc -l $ssl_dir/$domain.pem |cut -f 1 -d ' ')
495. ca_end=$(grep -n 'BEGIN CERTIFICATE' $ssl_dir/$domain.pem |tail -n1 |cut -f 1 -d :)
496. ca_end=$(( pem_lines - crt_end + 1 ))
497. tail -n $ca_end $ssl_dir/$domain.pem > $ssl_dir/$domain.ca
* debug_log "CERT CRT" "$(cat "$ssl_dir/$domain.crt")"
498. debug_log "CERT CA-1" "$(cat "$ssl_dir/$domain.ca")"
499. # Temporary fix for double "END CERTIFICATE"
500. if [[ $(head -n 1 $ssl_dir/$domain.ca) = "-----END CERTIFICATE-----" ]]; then
501. sed -i '1,2d' $ssl_dir/$domain.ca
502. fi
503. debug_log "CERT CA-2" "$(cat "$ssl_dir/$domain.ca")"

It looks like this code is splitting up the .pem file rather than the real convert that I did with openssl.

Can you tell which part of the .pem file I need to cutt out and call a .crt file?

Hope this all makes sense !

Thanks.

That script seems to be vesta/v-add-web-domain-ssl at master · serghey-rodin/vesta · GitHub and for whatever reason it's expecting to find $domain.crt and $domain.key in the path you give it.

You could copy fullchain.pem to gldn.page.crt, and copy privkey.pem to gldn.page.key then run that script again, maybe that would work.

2 Likes

Note sure if you already followed their guide but you may want to see if your process is the same as: SSL Certificates and Let's Encrypt — Hestia Control Panel documentation

1 Like

Thanks for the suggestion:

v-add-web-domain-ssl dave gldn.page /etc/letsencrypt/live/gldn.page

Error: Certificate Authority not found

What could this be?

It looks like you're combining nginx with Apache configurations? To me, it doesn't look "fine".

Interestingly this error message cannot be found in the Hestia source code :thinking:

3 Likes

Looking at that script it's sometimes looking for a $domain.ca file. I'd guess that might be the CA root certificate it's looking for, but I have no idea really. See v-acknowledge-user-notification — Hestia Control Panel documentation

It looks to me like HestiaCP prefers you to use their various letsencrypt specific commands rather than try to configure stuff yourself: v-acknowledge-user-notification — Hestia Control Panel documentation

2 Likes

That code is from here: vesta/v-add-letsencrypt-domain at 0fcbadda783926fdae681e7ad5bc2cd279aa7c90 · serghey-rodin/vesta · GitHub

@webprofusion didn't directly state the following - though if you read between the lines on his answer - you might have understood it. I just want to this to be clear:

Traditionally, the .crt file extension denotes a DER encoded certificate with an application/x-x509-server-cert mime header (and .cer denotes DER encoding with application/pkix-cert mime header). None of this is required by spec, and a .crt can - and often does - contain PEM encoded content.

Back to the problem...

The source in that specific letsencrypt command may help you figure out how they want certificates set up. The section after downloading the certificate is how they add it to the system and the section after that registers a renewal.

2 Likes