What is .crt and .key files and how to generate them?
Solution 1
crt and key files represent both parts of a certificate, key being the private key to the certificate and crt being the signed certificate.
It's only one of the ways to generate certs, another way would be having both inside a pem file or another in a p12 container.
You have several ways to generate those files, if you want to self-sign the certificate you can just issue this commands
openssl genrsa 2048 > host.key
chmod 400 host.key
openssl req -new -x509 -nodes -sha256 -days 365 -key host.key -out host.cert
Note that with self-signed certificates your browser will warn you that the certificate is not "trusted" because it hasn't been signed by a certification authority that is in the trust list of your browser.
From there onwards you can either generate your own chain of trust by making your CA or buy a certificate from a company like Verisign or Thawte.
Solution 2
These are the public (.crt) and private (.key) parts of an SSL certificate. See this question for a plethora of relevant information, e.g. if you want to generate a cert yourself, or buy one.
Related videos on Youtube
01 : 14 : 07
11 : 04
07 : 08
02 : 08
08 : 57
Mohammad Ali Akbari
Department of Computer Engineering and Information Technology, Department of Business Administration Amirkabir University of Technology, Tehran, Iran.
Updated on September 17, 2022Comments
-
Mohammad Ali Akbari over 1 year
I've the following configuration:
SSLEngine on SSLCertificateFile /etc/httpd/conf/login.domain.com.crt SSLCertificateKeyFile /etc/httpd/conf/login.domain.com.key SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXPbut I don't know how to generate
.crtand.keyfiles. -
Mohammad Ali Akbari over 13 yearsafter running "openssl genrsa 1024 > host.key" I got this in terminal: "e is 65537 (0x10001) " is it an error?
-
Mohammad Ali Akbari over 13 yearsI try it as root, but I got "e is 65537 (0x10001)" again
-
lynxman over 13 yearsDo you have SELinux activated on your machine? Check /var/log/messages to see why openssl can't write the file
-
Mohammad Ali Akbari over 13 yearsI check /var/log/messages before and after run this command, nothing!
-
Mohammad Ali Akbari over 13 yearsis there any other way to generate this key?
-
Qasim over 7 yearsBasic question but -- I'm assuming I ought to copy the .key file to my~/.sshfolder, when I upload my CSR file to my ssl provider? -
Volker Stolz over 7 years@Qasim SSL-files don't have anything to do with SSH (which is what the .ssh-folder belongs to).
-
Kaan over 5 yearsletsencrypt.org is a free ssl provider. Take a look on it instead of paying a lot of money to those companies.
-
ryanwebjackson almost 4 yearsI'm getting the following error:
"unable to load Private Key 4511002220:error:09FFF06C:PEM routines:CRYPTO_internal:no start line:/AppleInternal/BuildRoot/Library/Caches/com.apple.xbs/Sources/libressl/libressl-47.100.4/libressl-2.8/crypto/pem/pem_lib.c:684:Expecting: ANY PRIVATE KEY"Is it because I don't have a PEM file but a KEY file? -
ryanwebjackson almost 4 yearsMy issue was I had a mal-formatted private key file. Not sure how it happened, but I used the file and tail commands on Linux to determine the issue.
-
João Pimentel Ferreira over 3 yearscan I expose the .crt file? Is that supposed to be public?
