What is .crt and .key files and how to generate them?
Solution 1
crt and key files represent both parts of a certificate, key being the private key to the certificate and crt being the signed certificate.
It's only one of the ways to generate certs, another way would be having both inside a pem file or another in a p12 container.
You have several ways to generate those files, if you want to self-sign the certificate you can just issue this commands
openssl genrsa 2048 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.cert
Note that with self-signed certificates your browser will warn you that the certificate is not "trusted" because it hasn't been signed by a certification authority that is in the trust list of your browser.
From there onwards you can either generate your own chain of trust by making your CA or buy a certificate from a company like Verisign or Thawte.
Solution 2
These are the public (.crt) and private (.key) parts of an SSL certificate. See this question for a plethora of relevant information, e.g. if you want to generate a cert yourself, or buy one.
Related videos on Youtube
Mohammad Ali Akbari
Department of Computer Engineering and Information Technology, Department of Business Administration Amirkabir University of Technology, Tehran, Iran.
Updated on September 17, 2022Comments
-
Mohammad Ali Akbari over 1 year
I've the following configuration:
SSLEngine on SSLCertificateFile /etc/httpd/conf/login.domain.com.crt SSLCertificateKeyFile /etc/httpd/conf/login.domain.com.key SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
but I don't know how to generate
.crt
and.key
files. -
Mohammad Ali Akbari over 13 yearsafter running "openssl genrsa 1024 > host.key" I got this in terminal: "e is 65537 (0x10001) " is it an error?
-
Mohammad Ali Akbari over 13 yearsI try it as root, but I got "e is 65537 (0x10001)" again
-
lynxman over 13 yearsDo you have SELinux activated on your machine? Check /var/log/messages to see why openssl can't write the file
-
Mohammad Ali Akbari over 13 yearsI check /var/log/messages before and after run this command, nothing!
-
Mohammad Ali Akbari over 13 yearsis there any other way to generate this key?
-
Qasim over 7 yearsBasic question but -- I'm assuming I ought to copy the .key file to my
~/.ssh
folder, when I upload my CSR file to my ssl provider? -
Volker Stolz over 7 years@Qasim SSL-files don't have anything to do with SSH (which is what the .ssh-folder belongs to).
-
Kaan over 5 yearsletsencrypt.org is a free ssl provider. Take a look on it instead of paying a lot of money to those companies.
-
ryanwebjackson almost 4 yearsI'm getting the following error:
"unable to load Private Key 4511002220:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY"
Is it because I don't have a PEM file but a KEY file? -
ryanwebjackson almost 4 yearsMy issue was I had a mal-formatted private key file. Not sure how it happened, but I used the file and tail commands on Linux to determine the issue.
-
João Pimentel Ferreira over 3 yearscan I expose the .crt file? Is that supposed to be public?