Accidently removed localhost.crt SSL in Centos 6 - what can i do?
Solution 1
your ssl certificate issuer should provide you free replacement or reissue. Just go to digicert and ask them.
Generate new key files from server and reissue ssl. Make sure the new ssl should be SHA2 only.
Solution 2
There are two solutions to this issue:
1) You can regenerate the default self-signed certificate using OpenSSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/ssl/certs/localhost.crt
2) You can search the Apache config files and replace the self-signed cert with the new certificate.
This command will tell you which Apache config files reference the localhost.crt file:
grep -i -r localhost.crt /etc/httpd/
An example output of the above command might be this:
/etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt
That tells us to look in /etc/httpd/conf.d/ssl.conf and update the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to their new DigiCert certificate files.
Please feel free to call DigiCert support at 1-801-701-9600 if you have any problems or questions.
Solution 3
The files /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key are created by the postinstall script of the mod_ssl package. You can find the CentOS 7 spec file here: https://git.centos.org/rpms/httpd/blob/c7/f/SPECS/httpd.spec (check the other branches for different CentOS versions). Here is the script from CentOS 7:
%define sslcert %{_sysconfdir}/pki/tls/certs/localhost.crt
%define sslkey %{_sysconfdir}/pki/tls/private/localhost.key
%post -n mod_ssl
umask 077
if [ -f %{sslkey} -o -f %{sslcert} ]; then
exit 0
fi
%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > %{sslkey} 2> /dev/null
FQDN=`hostname`
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
FQDN=localhost.localdomain
fi
cat << EOF | %{_bindir}/openssl req -new -key %{sslkey} \
-x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
-out %{sslcert} 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF
So if you delete both localhost.key and localhost.crt, and do yum reinstall mod_ssl, then the postinstall script will recreate them for you.
(I'm posting this answer because searching how to recreate /etc/pki/tls/certs/localhost.crt leads me here, but as others stated, if you got a cert signed by a CA, you don't need the localhost.crt and localhost.key files any more.)
Related videos on Youtube
08 : 15
15 : 27
13 : 37
09 : 27
08 : 53
Karem
Updated on September 18, 2022Comments
-
Karem over 1 year
So I just got my certificate issued from Digicert, and since there was other unused/old files in /etc/ssl/ i marked and removed, and accidently also removed localhost.crt.
Now I cannot start my web server (only without SSL). How do i recreate this localhost.crt file? And would i need to make a new key and get my certificate from digicert reissued?
-
Itai Ganot over 9 yearsAre you sure it's not a self-signed certificate? -
Karem over 9 yearsYes the certificate i want running is not self signed, its by digicert. But /etc/ssl/certs/ only contains the certificate from digicert and csr i genereated for it. But in order to start my webserver it requires localhost.csr which i removed?
-
FooBee over 9 yearsRestore it from your backup.
-
Karem over 9 yearsI dont have backup
-
Michael Hampton over 9 yearsThen the most important thing you can do today is put a backup system in place. -
Mike S over 5 yearsFrickin' hell. My localhost.crt file is not there, and it's preventing me from getting a certificate (apachectl configtest exits with an error). I hate that this question was downvoted. There are more than one way that a file can be lost, and one of those ways may involve a brand new machine that's still being built (and not yet backed up). This is a perfectly valid- and useful- question.
-
-
Mike S over 5 yearsI tried the reinstall on Fedora 27 but it did not create the package.
-
Mike S over 5 yearsI had to create my own private key, as per akadia.com/services/ssh_test_certificate.html
-
Mike S over 5 yearsUpvoted because it got me to understand how to create the keys on my system, even if I needed to type in a different series of commands.
-
sowmith reddy about 4 yearssorry its yum -y reinstall mod_ssl
-
sridhar pandurangiah about 4 yearsThe answer you have posted doesn't address the question. The question is looking to recover a certificate file issued by digicert that has been accidentlly deleted.
