I want to know the difference between ca_chain.pem and chain.pem. Between these, which one is the root CA?
My domain is: synaz.xyz
I ran this command: certify the web software
output: cert.pem, fullchain.pem, chain.pem, ca_chain.pem, privkey.pem
My web server: xampp 8.2.4, OS: Ubuntu 24.04 LTS
root shell login: yes
no control panel
The only reference to ca-chain.pem (with a - and not a _) in the Certify the Web documentation is at Deployment Task - Deploy to Apache | Certify The Web Docs.. And that documentation doesn't mention any chain.pem.
So I have no clue what you're talking about exactly.
Also note that the Let's Encrypt ACME server does not provide the root certificate in its chain(s). Nor should any other ACME service. The root CA is present in the applicable root trust store(s) and is not relevant for the webserver. Unless you were talking about the intermediate certificate(s), but that's not the same as the root certificate.
yes, it is ca-chain.pem not ca_chain.pem. I want to know about the difference between ca-chain.pem and chain.pem. I've checked, in fullchain.pem, first certificate is cert.pem and second one is chain.pem.
I want to use these certificates for enabling SSL/TLS Connection in EMQX mqtt broker. The configuartion requires three files:
cacertfile: PEM file containing the trusted CA (certificate authority) certificates that the listener uses to verify the authenticity of the client certificates.certfile: PEM file containing the SSL/TLS certificate chain for the listener. If the certificate is not directly issued by a root CA, the intermediate CA certificates should be appended after the listener certificate to form a chain.keyfile: PEM file containing the private key corresponding to the SSL/TLS certificate.I'm requesting for help, what should be the cacertfile and certfile among the certificates generated by let's encrypt
While I don't use CtW, as mentioned earlier, as far as I can tell, CtW doesn't offer chain.pem? What chain.pem do you mean? Where does that chain.pem come from in your situation? From documentation elsewhere?
As far as I can tell, the Certify the Web ca-chain.pem is exactly the same as the chain.pem provided by e.g. Certbot.
These are better questions for the EMQX support forum. And, perhaps CtW forum too. Let's Encrypt itself returns the leaf and its intermediate(s). It is up to the ACME Client (CtW in this case) and the TLS Server and/or Client as to how to merge / split / combine or otherwise use those.
It sounds like you are doing two-way authentication which may have mTLS involved. Note that public CA are not well-suited for that purpose and the Client-Auth EKU is being dropped by LE from its certificates (other CA are as well). A private CA is better suited for mTLS. See LE announcement: Ending TLS Client Authentication Certificate Support in 2026 - Let's Encrypt
These are all somewhat complex design questions better suited for the EMQX experts. There may be other people here who know enough to help you. I just know the general issues with mqtt.
Have you seen: https://docs.emqx.com/en/emqx/latest/network/emqx-mqtt-tls.html
Hi,
You did mention "client certificates" above, as @MikeMcQ pointed out, so we'd need to know more about what you are trying to achieve. Validating a client certificate requires trusting the issuer root, and that won't be Let's Encrypt (any more) as they will not be issuing certs with that key usage.
To get certificate components instead of the default PFX (PKCS#12) archive in Certify The Web you would add a deployment task under Tasks, normally the Deploy to Generic Server task is enough for most types of server that require pem files. Deployment Tasks | Certify The Web Docs
You seem to be asking for the root issuer certificate, which is quite unusual, but you can get a full export including a root (if known and present in the machine store) using the Export Certificate task and choosing Export As: PEM -Intermediate Certificate Chain + Root
The actual contents of a typical PEM chain file depend on the context but typically they are just intermediate CA certificates (not including the root). Note that PEM files are just text and they can be manipulated and concatenated in all manner of ways to suit different deployments using custom scripting (which you can again do as a Task).
For most common servers you can supply a "fullchain" file (which is your leaf cert plus intermediates, no root) and a private key file.
well, I've checked, there is no chain.pem , it was an error. Certify the web generates by let's encrypt: ca-chain.pem, fullchain.pem, cert.pem, key.pem
Not going into the whole "client certificates" bit (as that's not really applicable for Let's Encrypt certificates, at least, currently not recommended and not possible in the near future), you'd likely need to set up your software with:
certfile -> fullchain.pem
keyfile -> key.pem
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.