SSL Certificate Files: A Simple Guide to Website Security

When I recently renewed my SSL certificate files from 123-reg, I was confused by all the different files they sent me. If you’ve ever wondered what those various SSL certificate files are for, here’s what I learned through the process.

The Certificate Files Breakdown

When I downloaded my new SSL certs, I got these files:

  • certificate.crt – The main certificate file
  • certificate.pem – Same certificate in PEM format
  • bundle.crt – The intermediate certificate bundle

On my server, I already had:

  • server-cert.crt – My old main certificate
  • server-intermediate.crt – My old intermediate certificate
  • server.key – My private key

What Each File Actually Does

Main Certificate (.crt)

This is your actual SSL certificate. It identifies your domain and contains your public key. Browsers check this to verify your site is secure.

PEM File (.pem)

The .pem file is literally the same certificate as the .crt file, just with a different extension. Certificate providers give you both because some servers prefer one over the other. They contain identical information.

To check if they’re the same:

openssl x509 -fingerprint -noout -in certificate.pem
openssl x509 -fingerprint -noout -in certificate.crt

Intermediate Certificate Bundle

This file contains the certificates that link your certificate to a trusted root certificate. Without this, browsers would show security warnings because they can’t establish a trust chain.

Private Key (.key)

This stays on your server and never gets shared. Your certificate must match this key.

Checking If Certificates Match Your Key

The most important thing is making sure your new certificate works with your existing private key. Run these commands:

openssl x509 -noout -modulus -in certificate.crt | openssl md5
openssl rsa -noout -modulus -in server.key | openssl md5

If you get the same hash output, they match. If not, the certificate won’t work with your key.

Apache Configuration

For Apache, you need these lines in your config:

SSLCertificateFile /path/to/certificate.crt
SSLCertificateKeyFile /path/to/server.key
SSLCertificateChainFile /path/to/bundle.crt

The Confusing Part

The most confusing thing was the intermediate certificate file. My old one looked different from the new one, but they serve the same purpose. As long as you use the intermediate file that came with your new certificate, you’re good.

When updating SSL certs, just replace both your main certificate and the intermediate bundle with the new ones. Keep your private key if it matches the new certificate.

That’s it – not as complicated as it first seemed.

Leave a Comment