When generating a client certificate for Kong, you generally need to provide the .crt and .key files to the client. However, the .pem file can also be used, depending on the application’s needs.

Here’s how each file is used:

1. .crt (Certificate File) – This contains the public certificate of the client.
2. .key (Private Key File) – This holds the private key for the client.
3. .pem (Privacy-Enhanced Mail Format) – This can contain both the certificate and private key (and sometimes even intermediate certificates) in a single file.

What Should You Provide to the Client?

• If the client explicitly needs separate certificate and key files, provide:
  • client.crt
  • client.key
• If the client can handle a single PEM file, provide:
  • client.pem (which includes both the certificate and private key)

To generate a PEM file from .crt and .key:

cat client.crt client.key > client.pem

🔹 Use Case:

• Some applications and libraries (e.g., cURL, OpenSSL, and certain API clients) accept a single PEM file instead of separate .crt and .key files.
• If the client is using mutual TLS (mTLS) authentication with Kong, check if they need a .pem file instead.