Why is the CA Cert File not supplied along with cert and key?

I am about to install OpenLDAP with SSl support using letsencrypt, so I am blocked now with the question where I find the CACERT? Can someone help quick? Is there a way to find out?

How did you go about getting your certificate in the first place? Usually that comes along in a second file called chain.pem.

1 Like

When you say CACERT - do you mean the actual ROOT CA cert?
Or the chained CA cert (between the cert and the root)?

Just for reference:
cert.pem = public cert
chain.pem = all intermediate certs
root.pem (would be the root cert; but no one hands those out - bad idea - they should already be known)

fullchain.pem (which should also be named certchain.pem) = cert.pem + chain.pem
Which equals: public cert + all intermediate certs
and that one gives you all there is to give.

1 Like

this what they want me to supply (http://www.openldap.org/faq/data/cache/185.html)

TLSCACertificateFile /usr/local/etc/openldap/cacert.pem
TLSCertificateFile /usr/local/etc/openldap/servercrt.pem
TLSCertificateKeyFile /usr/local/etc/openldap/serverkey.pem

my certificates are in the folder /etc/letsencrypt/live/domain.tld
as we know they are called : cert.pem, chain.pem, fullchain.pem, privkey.pem

I created them with certbot …

Here the correspondences are:



what is the difference between fullchain and chain?

fullchain.pem contains the certificate and chain combined in one file. In other words, it’s cert.pem plus chain.pem. chain.pem is just the, uh, chain.

Certbot creates an assortment of files because different software takes the same input in different ways.

Although different sources use this terminology a bit differently, in my interpretation the chain, strictly speaking, includes the end-entity certificate as well as the intermediate certificates, so in that sense the fullchain.pem is the full chain, while chain.pem is only a partial chain. (But it’s also common to refer to intermediate certificates as “chain certificates”, while it’s not common to refer to end-entity certificates that way.)

1 Like

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.