Loading SSL keys onto client, which ones?

Hello I am trying to load 3 SSL .pem files onto my client but I don't know which ones to load. I am trying to load:

  1. ca-cert.pem
  2. client-crt.pem
  3. client-key.pem

I am looking at my /letsencrypt/live/domain and I see the files below but which files correspond to the ones I need?

cert.pem  chain.pem  fullchain.pem  privkey.pem

Also I am only trying to do server-side authentication, so do I need all 3 of these?

1 Like

It's probably going to be:

  • ca-cert.pem → chain.pem
  • client-crt.pem → cert.pem
  • client-key.pem → privkey.pem
4 Likes

Thanks, do you happen to know what fullchain.pem is?

2 Likes

Often you can get away with just supplying privkey.pem+fullchain.pem (the latter of which is just chain.pem concatenated onto cert.pem).

However, if the software you are using is asking for the CA bundle and certificate separately, you should supply them separately.

4 Likes

This is incorrect - you want ca-cert.pem to include a list of CA certificates, like ISRG Root X1 and ISRG Root X2 from Chain of Trust - Let's Encrypt.

In a typical setup, where you're only trying to authenticate the server, and not have the server authenticate the client, you don't need client-crt.pem and client-key.pem. Just the ca-cert.

The files you see under /letsencrypt/live/domain are for your server to use, not the client.

3 Likes

Ah, my bad. It seems likely that these are indeed for client authentication. When I saw "only trying to do server-side authentication" I had assumed these were for the server.

3 Likes

@jsha it is unclear to me what I should be using for ca-cert.pem and where to find it. Do you know?

Perhaps if you were a bit clearer on exactly what software you need to add these three files into, we might be able to better understand the request and provide you with a more exact answer.
I'm assuming you're using an old version of Apache.
[let's see how far that is from the truth]

3 Likes

@Feynman137 let's continue the conversation over on When does one load new ca-certs onto client? - #16 by petercooperjr for clarity.

4 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.