Which cert is intermediate, and which is "Server" cert?

I successfully obtain 3 pem files from Let’s Encrypt. I need to know which of my 3 files is a “Server Certificate” and which is an “Intermediate,” because these are the two files my hosting provider is asking for.

  • 0000_cert.pem
  • 0000_chain.pem
  • 0001_chain.pem

Which is a Server Certficate and which is an Intermediate? … And what is the 3rd one that is left out?

I am providing my own CSR file, which means my certs are not output into the typical /etc/letsencrypt directories! I run this command:

letsencrypt certonly --webroot --csr MY-OWN-CSR.csr -w /var/www/html -d www.mydomain.com

(you’ll also notice I’m running an older version of certbot, known as letsencrypt, because I’m on an old version of Ubuntu)

Thanks guys :slight_smile:

1 Like

Unfortunately this is indeed the case currently. Also, the documentation of the --csr switch is lacking admirably…

For your (and perhaps many others) information a “conversion” to the regular output files of certbot:

  • 0000_cert.pem   = cert.pem (i.e., the server certificate)
  • 0000_chain.pem = chain.pem (i.e., the intermediate certificate)
  • 0001_chain.pem = fullchain.pem (i.e., a concatenation of cert.pem + chain.pem in one file).

Do note however! Every next time you run certbot --csr ..., the number in the file names changes again!

So the next sequence of outputted files would be:


Unless you move or remove the previously generated files of course :slight_smile: certbot just looks if he can recognise any previous files and counts upwards from there… If there are no previous files to be found, it just starts over again at zero.


Ahh, A+ answer. This clears up much for me.

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.