If you have worked with TLS certificates, you may have encountered files with the extensions .pem, .crt, and .key. You might be wondering what they are, what differences they have, and how to use them effectively.
The good news is that these formats aren’t as complicated as they seem once you understand the basics:
PEM, CRT, and KEY are not different certificate types — they are different ways of packaging the same data.
In this post, we’ll clarify these concepts and provide practical examples to make your life easier, especially when setting up local HTTPS with Nginx.
By the end, you’ll know:
- What a
.pemfile truly is - How
.crtand.keyrelate to.pem - When to use a CA certificate vs a server certificate
- How to generate and use PEM files generated by tools like oneclicktls.com with Nginx
The Core Concept (Read This First)
PEM is a format, not a purpose.
.pemindicates how the file is encoded..crtand.keydescribe what the file is used for.
All three formats are usually:
- Base64-encoded
- Wrapped in
-----BEGIN ...-----and-----END ...-----
What Is a PEM File?
A .pem file is essentially a text file that encapsulates one or more cryptographic objects.
A PEM file can contain:
- A server certificate
- A private key
- A CA certificate
- Or all of them combined
Example PEM contents:
-----BEGIN CERTIFICATE-----
(server certificate)
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
(private key)
-----END PRIVATE KEY-----
Since PEM files can hold multiple components, they can sometimes lead to confusion.
What Is a CRT File?
A .crt file is mainly used for:
- Containing certificate only
- Holding public information
- Not including a private key
In PEM format, it appears as:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
Key Points:
.crtis just a naming convention.- Most
.crtfiles are actually PEM files internally.
You can even rename a .pem file to .crt without changing its content.
What Is a KEY File?
A .key file primarily includes:
- A private key
- It must be kept confidential
- Never committed to Git or shared
Example format:
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
Remember:
.keyis just a naming convention.- The format is still PEM.
If you’re confident your .pem file contains a private key, you can rename it to .key.
Why This Confuses People
The confusion often arises during server configurations, especially with Nginx. Here’s where things typically go awry:
- A tool may generate a single
.pemfile that combines both a server certificate and a private key. - Nginx explicitly requires:
ssl_certificate(the certificate)ssl_certificate_key(the private key)
- Users may struggle with splitting or renaming the PEM file appropriately.
Things complicate further when a tool generates ca.pem and ca-key.pem, which are CA files and not server files. For proper functionality, Nginx specifically needs the server certificate and server key.
CA Certificate vs. Server Certificate (Very Important)
CA Certificate
- Used to sign other certificates.
- Not directly needed by Nginx for HTTPS.
- Common file names include:
ca.pemca.key
Server Certificate
- Uniquely identifies your server (or domain).
- Used directly by Nginx for secure connections.
- Common file names include:
domain.crtdomain.key
For local development, you typically do not need a CA certificate.
The Nginx Rule (Remember This)
When configuring Nginx, keep these directives in mind:
ssl_certificate -> certificate only
ssl_certificate_key -> private key only
If both are specified correctly, Nginx runs smoothly. A mismatch can lead to silent failures or confusing error messages.
Using oneclicktls.com (Practical Example)
Let’s bring this to life with a practical example.
Step 1: Generate TLS Files
Visit:
https://oneclicktls.com
Input your parameters:
- Domain:
example.com
Download the generated PEM files or copy generated contents directly. You’ll typically receive:
- One PEM for the server certificate
- One PEM for the private key
Step 2: Rename the Files
You do not need to convert these files; they’re already in the correct format.
Simply rename them:
server.pem -> example.com.crt
server-key.pem -> example.com.key
Why this works:
- The contents remain PEM.
- Nginx focuses on the contents, not the file extensions.
Q&A: Common Questions
What If You Have a Single Combined PEM?
If a tool generates a single PEM file containing everything:
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
-----BEGIN PRIVATE KEY-----
...
-----END PRIVATE KEY-----
You’ll need to split it into two separate files:
- Extract the CERTIFICATE block and save it as a
.crtfile. - Extract the PRIVATE KEY block and save it as a
.keyfile.
Important: Do not combine them in your Nginx configuration.
When Is It OK to Combine PEM Files?
Combining PEM files may be appropriate in contexts like creating certificate chain files. However, for Nginx configurations:
- Always keep the certificate and private key in separate files.
Common Mistakes to Avoid
Keep these potential pitfalls in mind:
- Using a CA certificate as your
ssl_certificate. - Using a CA private key as your server key.
- Combining the certificate and key into one file for Nginx.
- Assuming that file extensions like
.pemand.crtchange functionality. - Generating CA certificates when only a server certificate is needed.
Final Takeaway
If you’re setting up HTTPS locally, remember:
- You typically do not need a CA certificate.
- You don’t need mastery of OpenSSL.
- You only need:
- One server certificate
- One private key
PEM files can often be used directly, with renaming being usually sufficient.
To eliminate confusion, tools like oneclicktls.com can generate exactly what Nginx expects, simplifying your setup.
With this understanding, working with TLS becomes less intimidating and just another part of your configuration toolkit.
Enjoyed this article? Support my work with a coffee ☕ on Ko-fi.
