Home / server / Questions / 648534
Accepted
Karem
Asked: 2014-12-03 06:22:15 +0800 CST

Accidently removed localhost.crt SSL in Centos 6 - what can i do?

  • 772

So I just got my certificate issued from Digicert, and since there was other unused/old files in /etc/ssl/ i marked and removed, and accidently also removed localhost.crt.

Now I cannot start my web server (only without SSL). How do i recreate this localhost.crt file? And would i need to make a new key and get my certificate from digicert reissued?

centos

5 Answers

  1. There are two solutions to this issue:

    1) You can regenerate the default self-signed certificate using OpenSSL: 

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/pki/tls/private/localhost.key -out /etc/ssl/certs/localhost.crt

    2) You can search the Apache config files and replace the self-signed cert with the new certificate.

    This command will tell you which Apache config files reference the localhost.crt file:

    grep -i -r localhost.crt /etc/httpd/

    An example output of the above command might be this:

    /etc/httpd/conf.d/ssl.conf:SSLCertificateFile /etc/pki/tls/certs/localhost.crt

    That tells us to look in /etc/httpd/conf.d/ssl.conf and update the SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile to their new DigiCert certificate files.

    Please feel free to call DigiCert support at 1-801-701-9600 if you have any problems or questions.

    • 9

  2. The files /etc/pki/tls/certs/localhost.crt and /etc/pki/tls/private/localhost.key are created by the postinstall script of the mod_ssl package. You can find the CentOS 7 spec file here: https://git.centos.org/rpms/httpd/blob/c7/f/SPECS/httpd.spec (check the other branches for different CentOS versions). Here is the script from CentOS 7:

    %define sslcert %{_sysconfdir}/pki/tls/certs/localhost.crt
%define sslkey %{_sysconfdir}/pki/tls/private/localhost.key

%post -n mod_ssl
umask 077

if [ -f %{sslkey} -o -f %{sslcert} ]; then
   exit 0
fi

%{_bindir}/openssl genrsa -rand /proc/apm:/proc/cpuinfo:/proc/dma:/proc/filesystems:/proc/interrupts:/proc/ioports:/proc/pci:/proc/rtc:/proc/uptime 2048 > %{sslkey} 2> /dev/null

FQDN=`hostname`
if [ "x${FQDN}" = "x" -o ${#FQDN} -gt 59 ]; then
   FQDN=localhost.localdomain
fi

cat << EOF | %{_bindir}/openssl req -new -key %{sslkey} \
         -x509 -sha256 -days 365 -set_serial $RANDOM -extensions v3_req \
         -out %{sslcert} 2>/dev/null
--
SomeState
SomeCity
SomeOrganization
SomeOrganizationalUnit
${FQDN}
root@${FQDN}
EOF

    So if you delete both localhost.key and localhost.crt, and do yum reinstall mod_ssl, then the postinstall script will recreate them for you.

    (I'm posting this answer because searching how to recreate /etc/pki/tls/certs/localhost.crt leads me here, but as others stated, if you got a cert signed by a CA, you don't need the localhost.crt and localhost.key files any more.)

    • 3
  3. Best Answer

    your ssl certificate issuer should provide you free replacement or reissue. Just go to digicert and ask them.

    Generate new key files from server and reissue ssl. Make sure the new ssl should be SHA2 only.

    • 2

  4. I just had this same problem. There was no default localhost certificate for CentOS 8 so I ran this and it regenerated all the default certs.

    /usr/libexec/httpd-ssl-gencerts

    Hope it helps someone else.

    • 0

  5. You can just reinstall ssl with following command.It will regenerate localhost.crt

    yum -y install mod_ssl

    • 0