In SSL/TLS configurations, .crt (certificate) and .key (private key) files are essential for securing web traffic. The .crt file contains the public certificate issued by a Certificate Authority (CA), while the .key file holds the private key used to encrypt/decrypt data.
For development or testing, you can generate a self-signed certificate using OpenSSL:
openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
-keyout login.domain.com.key \
-out login.domain.com.crt
This command:
- Creates a 2048-bit RSA private key (
.key) - Generates a self-signed certificate valid for 365 days (
.crt) - Omits passphrase protection (
-nodes)
For production environments, you'll need a CA-signed certificate. First generate a Certificate Signing Request (CSR):
openssl req -new -newkey rsa:2048 -nodes \
-keyout login.domain.com.key \
-out login.domain.com.csr
Then submit the .csr file to a CA like Let's Encrypt, DigiCert, or GoDaddy.
Once you have your .crt and .key files, configure Apache:
<VirtualHost *:443>
ServerName login.domain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/login.domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/login.domain.com.key
SSLCipherSuite ALL:-ADH:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
</VirtualHost>
- Store
.keyfiles securely with restricted permissions (600) - Regularly renew certificates before expiration
- Use tools like Certbot for automated renewal (Let's Encrypt)
- Consider using wildcard certificates for multiple subdomains
If Apache fails to start after configuration:
apachectl configtest
Check for:
- File path correctness
- Certificate and key matching (use
openssl x509 -noout -modulus -in cert.crt | openssl md5and compare with key hash) - Proper file permissions
When configuring HTTPS for your Apache web server, you'll need two essential files:
- .crt file: The SSL certificate (public key) that gets served to clients
- .key file: The private key that should remain secure on your server
For development environments, you can create a self-signed certificate with OpenSSL:
# Generate private key (2048-bit recommended)
openssl genrsa -out login.domain.com.key 2048
# Create CSR (Certificate Signing Request)
openssl req -new -key login.domain.com.key -out login.domain.com.csr
# Generate self-signed certificate valid for 365 days
openssl x509 -req -days 365 -in login.domain.com.csr -signkey login.domain.com.key -out login.domain.com.crt
For production use, follow these steps:
- Generate CSR:
openssl req -new -newkey rsa:2048 -nodes -keyout login.domain.com.key -out login.domain.com.csr - Submit CSR to a Certificate Authority (CA) like Let's Encrypt, DigiCert, etc.
- Receive signed certificate (.crt/.pem) from the CA
Here's a complete virtual host configuration for SSL:
<VirtualHost *:443>
ServerName login.domain.com
SSLEngine on
SSLCertificateFile /etc/httpd/conf/login.domain.com.crt
SSLCertificateKeyFile /etc/httpd/conf/login.domain.com.key
SSLCACertificateFile /etc/httpd/conf/intermediate.crt # If using CA chain
# Recommended cipher suite
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLProtocol All -SSLv2 -SSLv3 -TLSv1 -TLSv1.1
SSLHonorCipherOrder On
# HSTS (optional)
Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
# Other configuration directives...
</VirtualHost>
For automatic certificate renewal using Certbot:
# Install certbot (CentOS/RHEL example)
sudo yum install epel-release
sudo yum install certbot python2-certbot-apache
# Obtain and install certificate
sudo certbot --apache -d login.domain.com
# Test automatic renewal
sudo certbot renew --dry-run
- Set proper permissions:
chmod 400 login.domain.com.key - Keep private keys secure - never share or commit to version control
- Use strong encryption (RSA 2048-bit minimum, ECDSA preferred)
- Renew certificates before expiration (60-90 days for Let's Encrypt)
If you encounter SSL errors:
# Verify certificate chain
openssl verify -CAfile /path/to/ca-bundle.crt login.domain.com.crt
# Check certificate details
openssl x509 -in login.domain.com.crt -text -noout
# Test SSL connection
openssl s_client -connect login.domain.com:443 -servername login.domain.com