When I recently renewed my SSL certificate files from 123-reg, I was confused by all the different files they sent me. If you’ve ever wondered what those various SSL certificate files are for, here’s what I learned through the process.
The Certificate Files Breakdown
When I downloaded my new SSL certs, I got these files:
certificate.crt– The main certificate filecertificate.pem– Same certificate in PEM formatbundle.crt– The intermediate certificate bundle
On my server, I already had:
server-cert.crt– My old main certificateserver-intermediate.crt– My old intermediate certificateserver.key– My private key
What Each File Actually Does
Main Certificate (.crt)
This is your actual SSL certificate. It identifies your domain and contains your public key. Browsers check this to verify your site is secure.
PEM File (.pem)
The .pem file is literally the same certificate as the .crt file, just with a different extension. Certificate providers give you both because some servers prefer one over the other. They contain identical information.
To check if they’re the same:
openssl x509 -fingerprint -noout -in certificate.pem openssl x509 -fingerprint -noout -in certificate.crt
Intermediate Certificate Bundle
This file contains the certificates that link your certificate to a trusted root certificate. Without this, browsers would show security warnings because they can’t establish a trust chain.
Private Key (.key)
This stays on your server and never gets shared. Your certificate must match this key.
Checking If Certificates Match Your Key
The most important thing is making sure your new certificate works with your existing private key. Run these commands:
openssl x509 -noout -modulus -in certificate.crt | openssl md5 openssl rsa -noout -modulus -in server.key | openssl md5
If you get the same hash output, they match. If not, the certificate won’t work with your key.
Apache Configuration
For Apache, you need these lines in your config:
SSLCertificateFile /path/to/certificate.crt SSLCertificateKeyFile /path/to/server.key SSLCertificateChainFile /path/to/bundle.crt
The Confusing Part
The most confusing thing was the intermediate certificate file. My old one looked different from the new one, but they serve the same purpose. As long as you use the intermediate file that came with your new certificate, you’re good.
When updating SSL certs, just replace both your main certificate and the intermediate bundle with the new ones. Keep your private key if it matches the new certificate.
That’s it – not as complicated as it first seemed.