110

I've the following configuration:

SSLEngine on SSLCertificateFile /etc/httpd/conf/login.domain.com.crt SSLCertificateKeyFile /etc/httpd/conf/login.domain.com.key SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP

but I don't know how to generate .crt and .key files.

Improve this question

3 Answers 3

Reset to default
113

crt and key files represent both parts of a certificate, key being the private key to the certificate and crt being the signed certificate.

It's only one of the ways to generate certs, another way would be having both inside a pem file or another in a p12 container.

You have several ways to generate those files, if you want to self-sign the certificate you can just issue this commands

openssl genrsa 2048 > host.key chmod 400 host.key openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.cert

Note that with self-signed certificates your browser will warn you that the certificate is not "trusted" because it hasn't been signed by a certification authority that is in the trust list of your browser.

From there onwards you can either generate your own chain of trust by making your CA or buy a certificate from a company like Verisign or Thawte.

Improve this answer
11
  • after running "openssl genrsa 1024 > host.key" I got this in terminal: "e is 65537 (0x10001) " is it an error? Commented Jan 19, 2011 at 10:18
  • 1
    Yes, this means that openssl can't write the random seed to the default file it uses which is defined by openssl.cnf, by default in CentOS/RHEL this file is in /etc/pki/tls/openssl.cnf. Try executing the same commands as root in this case and see how it goes. Commented Jan 19, 2011 at 10:29
  • I try it as root, but I got "e is 65537 (0x10001)" again Commented Jan 19, 2011 at 10:37
  • 1
    Do you have SELinux activated on your machine? Check /var/log/messages to see why openssl can't write the file Commented Jan 19, 2011 at 10:38
  • 5
    letsencrypt.org is a free ssl provider. Take a look on it instead of paying a lot of money to those companies. Commented Sep 13, 2018 at 12:00
18

These are the public (.crt) and private (.key) parts of an SSL certificate. See this question for a plethora of relevant information, e.g. if you want to generate a cert yourself, or buy one.

Improve this answer
2
  • Basic question but -- I'm assuming I ought to copy the .key file to my ~/.ssh folder, when I upload my CSR file to my ssl provider? Commented Jan 6, 2017 at 6:11
  • 1
    @Qasim SSL-files don't have anything to do with SSH (which is what the .ssh-folder belongs to). Commented Feb 7, 2017 at 10:30
1

This is a very old post but I just did this:

openssl req -x509 -newkey rsa:4096 -keyout private_key.pem -out public_key.crt -days 365 -nodes -subj '/CN=issuer'
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.