How to convert a private, public PEM files and it's cer file to a fullchain and private key?

Question

I have 3 files, a private pem cert, a public pem cert and a file containing CA's that signed those. (it's in plain text). I am attempting to set up grafana which requires an rsa private key, and a fullchain certificate.

I'm not exactly sure what a fullchain is. I known how to convert the private pem to rsa private key using openssl rsa -in private.pem -out rsa_private.key

I've tried just sticking the plaintext as the full chain but it doesn't work. (log messages states: failed to find certificate PEM data in certificate intput, but did find a private key; PEM inputs may have been switched)

I was able to get it working using my own self signed certs, as documented on the grafana docs page, but can't seem to integrate the CA's I need.

Any help would be great, thank you.

Answer 1

"fullchain" is not a type of certificate; it's a commonly used name for a file that contains a PEM-format certificate and its issuing CAs together. (The "fullchain.pem" filename was popularized by Certbot, the original Let's Encrypt ACME client, and is literally a combination of "cert.pem" and "chain.pem" files.)

A full chain file generally looks like this, with the server's own certificate always at the top:

-----BEGIN CERTIFICATE-----
<data of end-entity cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<data of intermediate cert>
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
<data of root cert>
-----END CERTIFICATE-----

In its typical definition (i.e. what Certbot generates), the "fullchain.pem" file contains only certificates, not private keys – the key stays separate in its own file.

(Note: Although I did include the root CA in the "full chain" example, most of the time you wouldn't actually add the root CA – the client has it anyway.)

(Note 2: Some CAs such as Sectigo call this "reversed"; Sectigo's "normal" chain file is actually root-first and therefore backwards from what TLS requires.)

---

All certificates are public by definition, there's no such thing as a "private pem cert". The private file only contains a plain private key.

Most likely you can use your private-key file directly without any conversion (assuming your command even did anything at all – in the past it used to be a way to convert PKCS#8-format key files into the older "PEM" format, but now it just outputs PKCS#8 anyway unless you pass -traditional to explicitly request the old format).

• PKCS#8 format (the key type is embedded within the data):

  -----BEGIN PRIVATE KEY-----
  <key data>
  -----END PRIVATE KEY-----

• PKCS#1 aka "PEM" format (the key type is indicated through the header):

  -----BEGIN RSA PRIVATE KEY-----
  <key data>
  -----END RSA PRIVATE KEY-----

Some programs do require the certificates and the private key to be in the same file; usually in that case the key can just go at the very end. (In very rare cases, though, you need to order them like "host cert → host privkey → CA chain".) But according to Grafana's documentation, that's not the case for you – Grafana expects only the certificates in cert_file, while the key goes in cert_key.