If you want to learn how to create a CRT file on Linux to check certificate validity during the testing phase or for internal usage, you have come to the right place. Continue reading the article to find out more.
A security certificate file with the .crt extension is a certificate that websites use to build a secure connection with the server. This certificate allows websites to send sensitive data over the internet. Sensitive data may include user credentials, payment details, bank transactions, etc.
In this article, we will explain how to create self-signed CRT certificates using the OpenSSL tool in Linux. So, let’s get started.
Difference Between Self-Signed Certificates and CA-Signed Certificates
A self-signed certificate is a certificate signed by the user itself. On the other hand, the CA Signed Certificate is signed by an external authority, and web browsers trust the certificate signed by an external authority. This is because those certificates are verified by the authorities such as Letsencrypt, DigiCert, and Globalsign.
On the other hand, the signing authorities do not verify self-signed certificates. Therefore, the clients do not trust certificates. However, using the self-signed certificate for development and testing purposes is acceptable.
Prerequisites
For this tutorial, ensure that you have the OpenSSL tool installed on your Linux machine. In addition, this tutorial requires root access or the sudo privilege to your account.
How to Create a CRT File on Linux
This tutorial will first cover CRT certificate generation. Then we will discuss how to use it in Linux.
Verify the OpenSSL Version
First, open the terminal by pressing “Ctrl + Alt + T”. Check for the OpenSSL version by typing the command given below:
openssl version
You should get a similar output:
In case, if the OpenSSL tool does not exist, install it by executing the command given below:
sudo apt-get update -qq
sudo apt-get install -y openssl
Generate an RSA Private Key File
Now that OpenSSL exists in the system, we will generate a private key. To generate the private key on your Linux machine using the OpenSSL command. Specifically, type:
openssl genrsa -out private.key
openssl genrsa -des3 -passout pass:x -out keypair.key 2048
The output should look something like this:
From the output, it is clear the machine has generated a private SSL key using the RSA algorithm.
Create a Certificate Signing Request (CRS) File
In this step, we will use the generated certificate file and turn it into a CRT file. For this step, we will add the .crt extension.
Input:
openssl req -new -key private.key -out request.csr
The command will prompt you to enter information such as country name, state, etc. Press the “Enter” key to skip entering the information. However, it is better to provide the correct information in this process. It should look something like this:
Once you have generated the .csr file, you can check it by executing the command given below:
ls request.csr
Output:
Create a CRT Certificate on Linux
Now, to create the CRT certificate using the .crt file, execute the command given below:
openssl x509 -req -days 365 -in request.csr -signkey private.key -out certificate.crt
The output should look something like this:
Verify the CRT File on Linux
To check whether the file has been created successfully or not, use the cat
command. For example, type:
cat certificate.crt
The output should show the certificate content:
Alternatively, use the find
command to find the file. If the file exists, it will appear. Specifically, type:
find -name certificate.crt -print
In addition, you can also use the locate
command as shown below:
locate certificate.crt > cat certificate.crt
Finally, you have successfully generated the CRT certificate. Make sure to back up the key to external storage to keep it safe.
Configure the Server to Use the Certificate Files
Now that we’ve created the certificate, we can now test it on the server. For this process, first, we will install the mod_ssl
package. Specifically, input:
sudo yum install mod_ssl
Wait for the installation to complete. After that, place the ssl.conf
file in the /etc/httpd/conf.d/
directory. After that, open the file using your preferred text editor:
#vim editor
sudo vi /etc/httpd/conf.d/ssl.conf
#nano
sudo nano /etc/httpd/conf.d/ssl.conf
Scroll down until you find the following line:
SSLCertificateFile
Update the path with the path to your certificate file. Press “Ctrl + S” to save and exit the editor. Now, restart the Apache server using the restart
command:
sudo apachectl restart
Now, the next time you connect to your IP Address via HTTPS, you will get a warning that your certificate is not trusted.
And you’re done! When Apache restarts, it will be configured to allow SSL connections by using the generated self-signed SSL certificates.
In this article, we have looked at the certificate (.crt), and private key (.key) files that we use for setting up an HTTPS server that is essential for setting up an HTTPS server. In addition, we also discussed the difference between certificates signed by an external authority and self-signed certificates.
Lastly, we generated the CRT certificates and used them with the Apache server.
If this article helped you, please share it.