I know this is a super similar question to many other questions, but none of them either give a straight answer or one that works for me...

I have gotten two files from Let's encrypt:

• cert.pem
• key.pem

I need to get them into a crt and key format for use on an nginx server.

I have tried:

openssl rsa -outform der -in key.pem -out key.key

and

openssl x509 -outform der -in cert.pem -out cert.crt

but get the following error when starting up nginx:

# service nginx restart
Performing sanity check on nginx configuration:
nginx: [emerg] cannot load certificate "/etc/ssl/nginx/cert.crt": PEM_read_bio_X509_AUX() failed (SSL: error:0906D06C:PEM routines:PEM_read_bio:no start line:Expecting: TRUSTED CERTIFICATE)
nginx: configuration file /usr/local/etc/nginx/nginx.conf test failed

The extension .pem indicates that the file format is PEM (Privacy-Enhanced Mail). However, the extension does not tell anything about the content of the file. The content may be a certificate, a private key, a public key, or something else.

The extension .crt indicates that the content of the file is a certificate. However, the extension does not tell anything about the file format. The file format may be PEM, DER (Distinguished Encoding Rules) or something else. If the file is text and contains -----BEGIN CERTIFICATE-----, the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.

The extension .key indicates that the content of the file is a private key. However, the extension does not tell anything about the file format. The file format may be PEM, DER or something else. If the file is text and contains -----BEGIN PRIVATE KEY----- (or something similar), the file format is PEM. On the other hand, if the file is binary, it is highly likely that the file format is DER.

Diagrams below from "Illustrated X.509 Certificate" illustrate relationship among ASN.1 (X.680), DER (X.690), BASE64 (RFC 4648) and PEM (RFC 7468).

Both ssl_certificate and ssl_certificate_key of ngx_http_ssl_module expect that the file format is PEM as the reference document says. Therefore, you don't have to change the file format of your cert.pem and key.pem because their file extension .pem indicates that their file format is already PEM. Just write like below in your Nginx configuration file.

ssl_certificate     /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;

If you prefer .crt and .key extensions, just rename them like below.

$ mv cert.pem cert.crt
$ mv key.pem  key.key