What is the purpose of chain.pem files?

A general question about chaim.pem files; I used a csr obtained from my host, and used the Certbot from LetsEncrypt to generate a https cert; I used the following command

$ certbot certonly --manual --csr file-with-my-csr.txt

The certbot produced 3 files 0000_cert.pem, 0000_chain.pem, 0001_chain.pem;
I then used the cert.pem file to install the cert back at my host; It all worked rather smoothly;

My question is what are the "chain" files used for, as I did not use them anywhere; In what scenarios will they be useful?



certbot describes the type of files it will produce for every certificates at User Guide — Certbot 1.11.0.dev0 documentation . To be honest, I couldn't think of a usecase where I would need the chain.pem file, because most of time I would use cert.pem or the full chain. My thoughts were, it would help in some specific usecases such as where you need to separate put your leaf certificate (the content in cert.pem) and all issuer certificates that chained to the leaf certificate. (Maybe when generating p12 files?)


Do note that the section you've linked here is not representative for certbot usage with --csr.

@joe-oli A few things:

  • The usage of --csr is highly undocumented in the certbot documentation.
  • One of those 0000_chain.pem or 0001_chain.pem is the intermediate certificate. Using just the 0000_cert.pem file will ultimately lead to you or users getting errors in their browsers if it can't build a trust chain up to a trusted root. Some/most browsers do have methods to try to build trust chains anyway, but this is not always the case, for example, if the required intermediate isn't cached somewhere. It's highly recommended to install the intermediate certificate in your webserver too. I'm guessing it's 0000_chain.pem but please check just to be sure.
  • With the above said: **are you absolutely, 200 % sure you require the --csr option? I.e., there is no other way to get your ultimate goal without using --csr?

The only conditions under which I could ever see --csr being required are:

  • You cannot install the private key for the certificate yourself on the intended server (in which case I wonder how you'll install the certificate itself)
  • You've generated the CSR on the intended server and transferred it to a different machine in order to satisfy dns-01 challenges to get a certificate (to avoid transferring the private key for the certificate back to the intended server)

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.