106

I've the following configuration:

SSLEngine on
SSLCertificateFile /etc/httpd/conf/login.domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/login.domain.com.key
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

but I don't know how to generate .crt and .key files.

kenorb
  • 6,779
Mohammad Ali Akbari
  • 1,793

3 Answers3

111

crt and key files represent both parts of a certificate, key being the private key to the certificate and crt being the signed certificate.

It's only one of the ways to generate certs, another way would be having both inside a pem file or another in a p12 container.

You have several ways to generate those files, if you want to self-sign the certificate you can just issue this commands

openssl genrsa 2048 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.cert

Note that with self-signed certificates your browser will warn you that the certificate is not "trusted" because it hasn't been signed by a certification authority that is in the trust list of your browser.

From there onwards you can either generate your own chain of trust by making your CA or buy a certificate from a company like Verisign or Thawte.

Trevor Boyd Smith
  • 147
lynxman
  • 9,527
  • after running "openssl genrsa 1024 > host.key" I got this in terminal: "e is 65537 (0x10001) " is it an error? – Mohammad Ali Akbari Jan 19 '11 at 10:18
  • 1
    Yes, this means that openssl can't write the random seed to the default file it uses which is defined by openssl.cnf, by default in CentOS/RHEL this file is in /etc/pki/tls/openssl.cnf. Try executing the same commands as root in this case and see how it goes. – lynxman Jan 19 '11 at 10:29
  • I try it as root, but I got "e is 65537 (0x10001)" again – Mohammad Ali Akbari Jan 19 '11 at 10:37
  • 1
    Do you have SELinux activated on your machine? Check /var/log/messages to see why openssl can't write the file – lynxman Jan 19 '11 at 10:38
  • I check /var/log/messages before and after run this command, nothing! – Mohammad Ali Akbari Jan 19 '11 at 14:53
  • is there any other way to generate this key? – Mohammad Ali Akbari Jan 19 '11 at 15:02
  • 5
    https://letsencrypt.org/ is a free ssl provider. Take a look on it instead of paying a lot of money to those companies. – Kaan Sep 13 '18 at 12:00
  • I'm getting the following error: "unable to load Private Key 4511002220:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY" Is it because I don't have a PEM file but a KEY file? – ryanwebjackson May 24 '20 at 16:30
  • My issue was I had a mal-formatted private key file. Not sure how it happened, but I used the file and tail commands on Linux to determine the issue. – ryanwebjackson May 25 '20 at 00:08
  • can I expose the .crt file? Is that supposed to be public? – João Pimentel Ferreira Aug 19 '20 at 21:44
  • what is the difference between openssl -req and openssl req? – PirateApp Feb 23 '23 at 12:39
17

These are the public (.crt) and private (.key) parts of an SSL certificate. See this question for a plethora of relevant information, e.g. if you want to generate a cert yourself, or buy one.

Community
  • 1
Volker Stolz
  • 426
  • 2
  • 10
  • Basic question but -- I'm assuming I ought to copy the .key file to my ~/.ssh folder, when I upload my CSR file to my ssl provider? – Qasim Jan 06 '17 at 06:11
  • 1
    @Qasim SSL-files don't have anything to do with SSH (which is what the .ssh-folder belongs to). – Volker Stolz Feb 07 '17 at 10:30
1

This is a very old post but I just did this:

openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_key.crt -days 365 -nodes -subj '/CN=issuer'
Roukmoute
  • 111