I need a CA_root.crt

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. crt.sh | example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: video.leylan.com

My web server is (include version): Express 4.17.1

The operating system my web server runs on is (include version): Windows 2019

I can login to a root shell on my machine (yes or no, or I don't know): Yes

I'm using a control panel to manage my site (no, or provide the name and version of the control panel): No

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you're using Certbot): not recognized, I use Certify the Web

Startup of Express is looking for 4 files.

var https_options = {
key: fs.readFileSync("/path/to/private.key"),
cert: fs.readFileSync("/path/to/your_domain_name.crt"),
ca: [

I'm so close to having this work and I believe I have 3 of them setup properly but I don't have the CA_root.crt. Is this something I can export, download and or generate?


You should be able to find what you are looking for here Chain of Trust - Let's Encrypt


You want this:

      key: fs.readFileSync('/etc/letsencrypt/path/to/key.pem'),
      cert: fs.readFileSync('/etc/letsencrypt/path/to/cert.pem'),
      ca: fs.readFileSync('/etc/letsencrypt/path/to/chain.pem'),

Thanks but this is all over my head. I'm stuck implementing security but can't take 6 months out to study it.


Thanks. This is a Windows server so there is no /etc folder but I get the point. Do you think these need to be (or should be .pem files?

My first try with .crt didn't seem to work.


@tleylan It looks like you can get three files corresponding to these with the Certify the Web feature "Deploy to Apache".

The names might be slightly different from those that (for example) Certbot uses, but they have the same content and purpose and can be used in the same way.

The "Deploy to Apache" version is so called because Apache is a popular (originally) Unix web server application that wants all of its certificate-related input files to be in PEM format. Apparently your Express configuration is also looking for the same files, in the same format.


Oh thanks this is the sort of "automated so you can't screw up" solution I was looking for. I have the .pem files now on to testing them.


Sorry, I missed in the first post that you’re using certify the web on windows! My mistake. Please let me know if you need any more help.


No problemo. I consider all information helpful but the "winner" in this event was schoen. The files were generated and everything works! Hurray.

Thanks all.


For anyone looking for the same information, I also responded with some general info here: Node app (running in Windows) - Question - Certify The Web - Support Community


Can you be clearer on where you got this example from, and what exactly you're trying to do? I think you may have received advice about what you asked for instead of what you needed. If your system ends up delegating to the normal node TLS server options, then the ca parameter would only be used to list trusted CAs if you were using client certificates, which probably isn't what you're doing.

I think all you want is for key to be your private key, and cert should be the fullchain.pem or equivalent that list the leaf and all intermediates, and you shouldn't need to pass ca at all.


Yes that turned out to be an example from another server, It may have been the Node HTTP server and didn't notice that at first... but I've removed the ca.pfx entry completely and I'm using the format given in an earlier post.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.