Does a PEM file containing the full cert chain and private key have a specific name?

[polarathene]

I've seen various provisioning of files:

• A separate server/leaf certificate and private key files.
• "bundling" a "fullchain" file that contains the chain of trust with intermediate or root CA certs, but not private key. I think it's less common to find root CA cert included, but in some scenarios has value?
• A "fullchain" bundle with a private key included (for some services like Postfix), where the private key (for the leaf cert) is first, followed by the leaf cert and any subsequent certs in the chain.

Certbot has it's own naming conventions: privkey.pem, fullchain.pem, cert.pem, chain.pem (the rest of the chain excluding the leaf cert).

There doesn't seem to be any particular name that I could find when the private key is included with the full certificate chain. I assume fullchain may be inappropriate?

I'm contributing a PR feature which requires this format and just want to make sure I name it correctly. Is there some industry term specific to that mix? I noticed step doesn't have support for creating such a file, it only offers the fullchain kind via step certificate bundle.

[tashian]

There's a lot of standards and formats and not a lot of consistency among them.

One term that comes to mind is "bundle". The precedent for this is PKCS #12 files, which are often used to bundle the cert and private key. They are especially popular for Java and some Microsoft applications.

[maraino]

Don't use PKCS#12.

[maraino]

As far as I know, there's no specific or most common name for a PEM file containing the leaf+intermediate(s)+key.

step doesn't really create those files, most of the applications using PEM files, uses two different files for it, and if really needed you can always do cat cert.pem cert.key > whatever.pem.

There's an old format called PKCS#12 that contains the full chain and the private key, but it shouldn't be used for new applications because it's based on weak encryption primitives.

[polarathene]

step doesn't really create those files, most of the applications using PEM files, uses two different files for it

Isn't that what step certificate bundle is for minus the private key? It's alright, I'm not requesting feature support for this as I understand it's niche.

The software is Postfix and the setting does allow you to provide the two files separately with private key provided first followed by the cert chain filepaths on the same line. It's just a supported input for the projects TLS config (that packages Postfix and several other services) and requires having some tests in place along with some shell script variables referring to it.

I ended up going with a clear descriptive name of key_with_fullchain.pem (in a directory for the main SAN domain it's registered to).

There's an old format called PKCS#12 that contains the full chain and the private key, but it shouldn't be used for new applications because it's based on weak encryption primitives.

Yeah I'm aware of this format too, but we only support PEM 👍