Hello Rogier,
Have a look at certificate - What is a Pem file and how does it differ from other OpenSSL Generated Key File Formats? - Server Fault as this explains differences .csr and .pem and .key files extensions.
In essence:
csr - This is a Certificate Signing Request.
pem - This is a container format that may include just the public certificate or may include an entire certificate chain including public key, private key, and root certificates.
key - This is a PEM formatted file containing just the private-key of a specific certificate and is merely a conventional name and not a standardized one.
I looked at How do I obtain a certificate from Let's Encrypt on my Synology NAS? - Synology Knowledge Center to see how you might have used it in this process.
So in the section “To create a certificate signing request (CSR):” part 4 you will have filled in your detail and lets assume you did not password protect the keys. Now in step 6 you should have 2 files. The “server.csr” you submit to Digicert and the private key “server.key”.
Let assume the “server.key” is base64 format. If you open you server.key in notepad its should look a bit like below. Copy and paste all of this into the “private key” section. Never give this key to anyone.
-----BEGIN FOO BAR KEY-----
MIIBgjAcBgoqhkiG9w0BDAEDMA4ECKZesfWLQOiDAgID6ASCAWBu7izm8N4V
2puRO/Mdt+Y8ceywxiC0cE57nrbmvaTSvBwTg9b/xyd8YC6QK7lrhC9Njgp/
…
-----END FOO BAR KEY-----
So when you used the “server.csr” with Digicert they should have sent you back a file like yourdomainname.crt. If you open this in notepad you will see similar base64 layout. Copy and paste all this into “Local Public Key Certificate”. If the file just has the signed key and the connection does not work, you may need to follow the process at How to Create a .pem File for SSL Certificate Installations to add in the intermediate and root certificates.
Note from what you told me earlier that this cert will only work for yourdomainname.com not connections like www.yourdomainname.com or ftp.yourdomainname.com. For that you need to buy the more expensive wildcard certificate.
Also if you open say a https browser connection and you get an untrusted message this means the connection process cannot verify the whole certificate chain.
If you want have a look at my short blog post - http://www.supportict.co.uk/ssloverview/