I'm running Debian and have certbot for creating Let's Encrypt certificate.
I act as client towards a TLS server, and needs to handover my client certificate for approval.
I've got the following files generated by certbot:
/etc/letsencrypt/live/my-client-server-domain/privkey.pem
/etc/letsencrypt/live/my-client-server-domain/fullchain.pem
/etc/letsencrypt/live/my-client-server-domain/chain.pem
Which certificate should I handover, and is it safe to share public?
You need to keep /etc/letsencrypt/live/my-client-server-domain/privkey.pem private as it contains the private key for your certificate.
You can hand out one ofthese two files:
/etc/letsencrypt/live/my-client-server-domain/chain.pem
/etc/letsencrypt/live/my-client-server-domain/fullchain.pem
You might want to share the /etc/letsencrypt/live/my-client-server-domain/fullchain.pem as it contains intemediate certificates if those were used by Let's Encrypt. The recipient can extract your certificate from it in case it is needed.
Use the certbot certificates sub command to display your certificate files if you don't exactly know which file(s) you need. You can use the -d [hostname] option if you have more than hostname/domainname configured:
certbot certificates -d www.example.com
Saving debug log to /var/log/letsencrypt/letsencrypt.log
-------------------------------------------------------------------------------
Found the following matching certs:
Certificate Name: server.example.com
Domains: server.example.com mail.example.com www.example.com example.com
Expiry Date: 2018-09-30 12:45:28+00:00 (VALID: 82 days)
Certificate Path: /etc/letsencrypt/live/server.example.com/fullchain.pem <====
Private Key Path: /etc/letsencrypt/live/server.example.com/privkey.pem
-------------------------------------------------------------------------------
In any public key cryptography you only need to keep the aptly named "Private Key" data private and secure, and you can (and usually must) share the public key/certificate freely, so share the fullchain.pem file from what certbot calls the "certificate path".
