CODEWITHSUNDEEP
sslnginx
Snappawapa
Snappawapa

Reputation: 2012

How to get .crt and .key from cert.pem and key.pem

I know this is a super similar question to many other questions, but none of them either give a straight answer or one that works for me...

I have gotten two files from Let's encrypt:

I need to get them into a crt and key format for use on an nginx server.

I have tried:

openssl rsa -outform der -in key.pem -out key.key

and

openssl x509 -outform der -in cert.pem -out cert.crt

but get the following error when starting up nginx:

# service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] cannot load certificate "/etc/ssl/nginx/cert.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

Upvotes: 8

Views: 32962

Answers (2)

Takahiko Kawasaki
Takahiko Kawasaki

Reputation: 19001

The extension .pem indicates that the file format is PEM (Privacy-Enhanced Mail). However, the extension does not tell anything about the content of the file. The content may be a certificate, a private key, a public key, or something else.

The extension .crt indicates that the content of the file is a certificate. However, the extension does not tell anything about the file format. The file format may be PEM, DER (Distinguished Encoding Rules) or something else. If the file is text and contains -----BEGIN CERTIFICATE-----, the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.

The extension .key indicates that the content of the file is a private key. However, the extension does not tell anything about the file format. The file format may be PEM, DER or something else. If the file is text and contains -----BEGIN PRIVATE KEY----- (or something similar), the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.

Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).

relationship among ASN.1, DER, BASE64 and PEM

relationship among ASN.1, DER, BASE64 and PEM (Application to X.509 Certificate

Both ssl_certificate and ssl_certificate_key of ngx_http_ssl_module expect that the file format is PEM as the reference document says. Therefore, you don't have to change the file format of your cert.pem and key.pem because their file extension .pem indicates that their file format is already PEM. Just write like below in your Nginx configuration file.

ssl_certificate     /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;

If you prefer .crt and .key extensions, just rename them like below.

$ mv cert.pem cert.crt
$ mv key.pem  key.key

Upvotes: 21

mama
mama

Reputation: 2227

When you want to set up NGINX with Let's Encrypt, then you can do it automatically by using the application certbot.

To install certbot for nginx:

on Ubuntu/Debian:

sudo apt install python-certbot-nginx

on Arch linux:

sudo pacman -S certbot-nginx

on Centos:

sudo yum install epel-release
sudo yum install certbot-nginx

Then you need to make a very simple configuration file for your domain. The directory should be the same for all the mentioned operating systems

/etc/nginx/sites-available/example.com

In here you just add this information:

server {
        listen 80;
        listen [::]:80;
        
        server_name example.com www.example.com;

        location / {
                proxy_pass http://127.0.0.1:5000 #Example
        }
}

Then create the symlink to activate the domain

sudo ln -s /etc/nginx/sites-available/example.com /etc/nginx/sites-enabled/

Remember to change example.com with your domain, and switch proxy_pass to your service or directory of hosted files.

Now you should restart NGINX:

sudo nginx -t

This one will return an error if you have errors in your configuration.

If everything is ok then restart NGINX

sudo systemctl restart nginx.service

Now certbot comes into the picture:

sudo certbot --nginx -d example.com -d www.example.com

At this point Let's encrypt will try to reach your nginx server, and if everything is OK - this means:

  • Firewall settings allow for port 80 and 443 to pass
  • Portforwarding throug network for the 2 ports are allowed

Then you will get to pick easy or secure access. I recommend the secure option.

When you have clicked [enter] then the process will be finished and certbot will have generated all your certification files and added them to the correct path.

Your configuration file in /etc/nginx/sites-avalible/example.com will have been updated with all the correct settings.

You may be required to restart nginx once again.

I hope it was helpful. Good luck

[Sources]

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-ubuntu-18-04

https://www.digitalocean.com/community/tutorials/how-to-secure-nginx-with-let-s-encrypt-on-centos-7

https://wiki.archlinux.org/index.php/Certbot#Nginx

Upvotes: 0

Related Questions