Search code examples

difference between ca and cert

I try to use the node https api to setup a https server, in the api document: there two parameter make me confused. ca:

Optionally override the trusted CA certificates. Default is to trust the well-known CAs curated by Mozilla. Mozilla's CAs are completely replaced when CAs are explicitly specified using this option. The value can be a string or Buffer, or an Array of strings and/or Buffers. Any string or Buffer can contain multiple PEM CAs concatenated together. The peer's certificate must be chainable to a CA trusted by the server for the connection to be authenticated. When using certificates that are not chainable to a well-known CA, the certificate's CA must be explicitly specified as a trusted or the connection will fail to authenticate. If the peer uses a certificate that doesn't match or chain to one of the default CAs, use the ca option to provide a CA certificate that the peer's certificate can match or chain to. For self-signed certificates, the certificate is its own CA, and must be provided. For PEM encoded certificates, supported types are "TRUSTED CERTIFICATE", "X509 CERTIFICATE", and "CERTIFICATE".


Cert chains in PEM format. One cert chain should be provided per private key. Each cert chain should consist of the PEM formatted certificate for a provided private key, followed by the PEM formatted intermediate certificates (if any), in order, and not including the root CA (the root CA must be pre-known to the peer, see ca). When providing multiple cert chains, they do not have to be in the same order as their private keys in key. If the intermediate certificates are not provided, the peer will not be able to validate the certificate, and the handshake will fail.

what diff between them? As what I think, there just a client pem and a key pem in the https system. Why that need more stuff like ca and cert? I generate the pem via certbot, there are four file be generated: cert.pem chain.pem fullchain.pem privkey.pem. what the different bwtween cert.pem chain.pem fullchain.pem?


  • The ca is the issuer of the cert. So when I trust the ca but don't know your cert i can trust it as it is issued (signed) by a trusted source.

    I generate the pem via certbot, there are four file be generated

    could you post the files except privkey.pem which should be private?

    what the different bwtween cert.pem chain.pem fullchain.pem?

    Usually it goes like this:

    • cert.pem contains the certificate - public key and metatdata (issuer, serialnumber, subject, SAN, attributes and extensions).
    • privkey.pem contains the private key of your certificate.
    • chain.pem contains your certificate and its issuer - there could be more instances in the chain like Root CA -> Sub CA -> your cert.
    • fullchain.pem ontains your certificate and all cas up to the root ca.