How to convert a certbot certificate private key to "Unencrypted PEM encoded RSA"?

Question

I use certbot to generate ssl cert for my domain.

Then I use the following commands to copy the content to clipboard

cat ./letsencrypt/live/mycompany.com/cert.pem |pbcopy
cat ./letsencrypt/live/mycompany.com/privkey.pem |pbcopy

and paste into Google App Engine's "Add a new SSL certificate" dialog box.

However the private key is rejected due to 'The private key you've selected does not appear to be valid.'

(I have replaced the content with 'zzzz')

How can I convert the certbot output into the right format?

Also I do not know exactly what format and roles are those certbot generated files are in.

cert.pem
chain.pem
fullchain.pem
privkey.pem

Anthony Kong · Accepted Answer · 2018-05-03T22:57:18.120

2

I find out I can use openssl to convert the format

openssl rsa -in ./letsencrypt/live/mycompany.com/privkey.pem -out ./letsencrypt/live/mycompany.com/privkey.pem.rsa.key

edited May 03 '18 at 22:57

answered May 03 '18 at 22:49

Anthony Kong

score 1 · Answer 2 · edited Jun 16 '20 at 09:49

To add to @Anthony Kong's answer...

What format are those certbot generated files in, and what roles do they perform?

The following are all PEM files [info], which store the various different peices of information to allow the certificate to be used.

cert.pem

This is the issued certificate
chain.pem

This is the set of certificates that go from a trusted root down to the cert before the issued one
fullchain.pem

This is the set of certificates that go from a trusted root down to the issued one
privkey.pem

This is the private key for the issued certificate

Imagine CA B is trusted by root A, and uses intermediate C to issue a certificate D.

The trust path would look like this

 A == Trusted root
\ /
 B == Issuing CA
\ /
 C == Intermediate Certificate
\ / 
 D == Issued certificate

In this case, the files would contain: