Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.
@tleylan It looks like you can get three files corresponding to these with the Certify the Web feature "Deploy to Apache".
The names might be slightly different from those that (for example) Certbot uses, but they have the same content and purpose and can be used in the same way.
The "Deploy to Apache" version is so called because Apache is a popular (originally) Unix web server application that wants all of its certificate-related input files to be in PEM format. Apparently your Express configuration is also looking for the same files, in the same format.
Can you be clearer on where you got this example from, and what exactly you're trying to do? I think you may have received advice about what you asked for instead of what you needed. If your system ends up delegating to the normal node TLS server options, then the ca parameter would only be used to list trusted CAs if you were using client certificates, which probably isn't what you're doing.
I think all you want is for key to be your private key, and cert should be the fullchain.pem or equivalent that list the leaf and all intermediates, and you shouldn't need to pass ca at all.
Yes that turned out to be an example from another server, It may have been the Node HTTP server and didn't notice that at first... but I've removed the ca.pfx entry completely and I'm using the format given in an earlier post.