How do I download the public key? (noob question)


This question is probably so mind-numbingly simple that no one has had to ask it… but… how exactly do I get the public key?

Most of the instructions I find online assume you’ve been sent the keys in an email. I’ve managed to follow half a dozen different step-by-step instructions to eventually, painstakingly, generate a private key, and can copy/paste it from the virtual console into the appropriate field (on Google App Engine), but it also needs a “PEM encoded X.509 public key certificate”.

Where the heck do I get this? Like, quite literally, what do I type into the virtual console? It says that it saved it at “/etc/letsencrypt/live/[REDACTED].com/fullchain.pem” but if I paste that (the real version) into the console it just says “access denied”.

I’ve searched here and Google but I may as well be searching for “how to drink water from a cup”, or something equally obvious which no one is talking about. :_(


The certificate (with the public key in it) is at “/etc/letsencrypt/live/[REDACTED].com/cert.pem”

The fullchain.pem you’re referring to also has the intermediate certificate embedded into it.


Yes that’s the file that I want to download, and I haven’t been able to find any instructions on how to do so. I only copy-and-pasted the private key from the virtual console output, which looks something like this:

blablablalbakjfksflksjgfklsgjlsgsgj (etc)


You probably want to run:

sudo cat /etc/letsencrypt/live/[REDACTED].com/fullchain.pem

This will print out two certificates: The first one is your certificate and one is the “chain” or “intermediate.” The software you need to install it into will either accept both in a single field, or will expect them as two separate fields.


Woohoo thanks! It works! I got a green lock and everything! :smile:


I have a similar question regarding this public key thing. See the docs for auth0/node-jsonwebtoken, specifically sign() and verify().

sign() requests a private key and uses .key in the example. I have seen .pem supplied before. In the context of Let’s Encrypt, I assume this would be /etc/letsencrypt/live/

verify() requests a public key. I have no idea what the heck this is within Let’s Encrypt.


That’s a different thing than certificates. It’s just a plain PKI process, kinda like GPG. You can easily make your public and private keys using OpenSSL for that purpose.