SSL File Types Explained: CRT, KEY, PEM, PFX, CSR and CA Bundle

When you download your SSL certificate you end up with a pile of extensions: .crt, .key, .pem, .pfx, .csr and a CA Bundle. At first glance they all look alike, but each one does a distinct job, and dropping the wrong file in the wrong place means HTTPS simply won't work. This guide walks through every common SSL file type, shows what lives inside each one, and clears up which server expects which file. By the end you'll know exactly what you're holding and where it belongs.

What is PEM? (Format, not file type)

PEM is not a certificate type at all — it's an encoding format. It stores data as Base64-encoded ASCII text wrapped between markers like -----BEGIN CERTIFICATE----- and -----END CERTIFICATE-----. If you open a file in a text editor and see those lines, it's PEM-encoded. Most CRT, KEY and CA Bundle files are actually written in PEM, which is why .pem is such a generic container.

CRT / CER — the certificate itself

The CRT (or .cer) file is your actual SSL certificate, signed by the Certificate Authority. It contains your domain name, validity dates and your public key, and it begins with -----BEGIN CERTIFICATE-----. This file is not secret; it's public information served to every browser that connects.

KEY — the private key (never share it)

The KEY file is your certificate's private key and starts with -----BEGIN PRIVATE KEY-----. It is the heart of HTTPS encryption. If this file leaks, your certificate is no longer trustworthy. Never email it, never upload it anywhere public, and keep it only on your server.

CSR — the signing request

A CSR (Certificate Signing Request) is generated when you ask a CA to issue a certificate. It carries your domain and organization details and begins with -----BEGIN CERTIFICATE REQUEST-----. The key distinction: a CSR does NOT contain the private key — only your public key and request data. Once the certificate is issued, you no longer need the CSR.

CA Bundle — the intermediate chain

The CA Bundle (intermediate chain) lets browsers verify that your certificate genuinely traces back to a trusted root authority. It holds the "intermediate" certificates that sit between yours and the root. If it's missing, some browsers will throw a "certificate not trusted" warning.

fullchain — certificate plus chain combined

The fullchain file is simply your certificate (CRT) and the CA Bundle merged into one file. Servers like Nginx want the chain as a single combined file rather than separate pieces, which makes fullchain handy.

PFX / P12 — the package Windows loves

Unlike the text formats above, PFX (or .p12) is a binary, password-protected bundle. It packs the certificate, the private key and the chain into one encrypted file. The Windows and IIS world uses this format instead of PEM, and you'll be prompted for a password when importing it.

Converting formats with openssl

Turning PEM files into a PFX for Windows (or the reverse) takes a single command:

# PEM (crt + key + chain) -> PFX
openssl pkcs12 -export -out certificate.pfx \
  -inkey private.key -in certificate.crt -certfile ca_bundle.crt

# PFX -> PEM (certificate + key)
openssl pkcs12 -in certificate.pfx -out certificate.pem -nodes

Which server needs which file?

  • Apache: needs the crt for SSLCertificateFile, the key for SSLCertificateKeyFile and the ca_bundle for SSLCertificateChainFile (three separate files).
  • Nginx: needs the fullchain (certificate + chain combined) for ssl_certificate and the key for ssl_certificate_key (two files).
  • IIS / Windows: wants a single pfx file containing the certificate, key and chain.
  • cPanel / Plesk: typically asks you to paste the crt, key and ca_bundle into separate fields.

Summary

In short: CRT is your certificate, KEY is your private key, CA Bundle is the intermediate chain, fullchain combines them, PFX is the encrypted Windows package, and CSR is just a request that never gets installed on the server. The good news: when you generate a certificate with our free SSL wizard, the crt, key, ca_bundle, fullchain and pfx files all arrive together in a single ZIP — no manual conversion required. Pick whichever your server expects and drop it in. To grab your free 90-day certificate with no signup required, head over to our free SSL wizard now.