Generating `cert.pem, chain.pem, and fullchain.pem` from order certificate

I am kind of a noob so please forgive any mistake in explaining my question/confusion.

Thus far I have been able to use both acme-client and droplet_kit to perform dns-01 challenge with the staging server.

Currently I am stuck with what to do with the PEM-formatted certificate that is returned.

Given that letsencrypt returns cert.pem, chain.pem, fullchain.pem, and privkey.pem I think that I am supposed to perform some actions on the returnedPEM-formatted certificate in order to get the expected values - expect privkey.pem which I think is the private_key used to sign the certificate request. Are my assumptions correct?

I ask because:

  1. although acme-client has a very simple API, from my reading of the codebase, it appears that it does not make any assumptions about certificate/key storage
  2. I am having a hard time finding a straightforward explanation of how cert.pem, chain.pem, fullchain.pem, and privkey.pem are generated.

I would appreciate any explanation on how PEM-formatted certificate that is returned is related/used to generate cert.pem, chain.pem, fullchain.pem, and privkey.pem

Thank you.


What is returned by the ACME protocol is basically the fullchain.pem file. It’s the signed certificate plus one or more certificates that make up the issuing CA chain. So you then just split that out into cert.pem (the first cert in the file) and chain.pem (the rest of the file). It’s a plain text file and you should be able to see the cert delineations fairly easily.

You’re correct that privkey.pem is the private key you already used to sign the cert request.


Based on the README of that gem,



Is order.certificate with the first certificate in the chain stripped.

Is the first certificate in order.certificate

Is order.certificate

Thanks for the explanation; really appreciate it!

Is there anyway I could know this by reading acme-client or ietf-acme docs? Is this something that is just standard?

Section 7.4.2 of the current ACME draft-16 talks about the details surrounding the certificate download. But what a client decides to do with that file is ultimately a usability choice by the client author.

Even the names cert.pem, chain.pem, and fullchain.pem aren't any kind of industry standard, but just a choice of this kind that we made when we first wrote Certbot, because we hoped they would help explain to users what the content of the files was. (And we may have made a mistake there, because fullchain.pem is what almost all software should use, but many users instead pick cert.pem and end up serving an incomplete chain.)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.