Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: removed link

Modern browsers like "chrome" Chrome require you to have more secure certificates with 3072 bits / sha256 and higher encryption. In order for HAproxy to support multiple storage domains, we need to enable additional extensions and include subject alternate names to the certificate.

Info

These steps are meant to be used on CentOS 6/7 OS.

Instructions

Please follow Complete these steps exactlycarefully:

  1. First we need to edit Edit the SSL configuration: /etc/pki/tls/openssl.cnf
    1. in

      In the section "[ req ]", add or

      uncomment 

      uncomment this line:

      Code Block
      [ req ]
      req_extensions = v3_req


    2. Immediately below, add the following

      just underneath

      :

      ```
      Code Block
      [ v3_req ]

      
      subjectAltName = @alt_names
      
      
      [ alt_names ]

      
      DNS.1 = example.demo.sales.local

      
      DNS.2 = master.acme.org
      ```


    3. Note: You can add Add as many alternative names as you wish needed to the alt_names section.
    4. You may optionally also wish to fill in (optional) Set the other defaults as desired: countryName_default , localityName_default etc, .. if you want to see sensible defaults. 
  2. Generate a private key: 

    Code Block
    openssl genrsa -des3 -out YOURDOMAIN.key 3072


  3. Generate a CSR key with the newly created private key:

    Code Block
    openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr -config /etc/pki/tls/openssl.cnf -sha256 -newkey rsa:3072


  4. Generate the final certificate:

    Code Block
    openssl x509 -req -sha256 -days 3650 -in YOURDOMAIN.csr -signkey YOURDOMAIN.key -out YOURDOMAIN.crt -extensions v3_req -extfile /etc/pki/tls/openssl.cnf


  5. Combine both YOURDOMAIN.key and YOURDOMAIN.crt into a single YOURDOMAIN.pem file and configure haproxy HAproxy to use it.
  6. Now you can restart Restart the HAproxy service.
  7. From a Windows Client/Server, connect with Chrome , at first it will say its an untrusted certificate, download it locally and install it by double-clicking on client or server, navigate to the secure URI with Chrome.
  8. At first, it will say it's an untrusted certificate. Download the certificate locally, then double-click it to install it.
  9. Restart the browser, and navigate to the secure URI, you . The browser should now see the browser accept the certificate.

Filter by label (Content by label)
showLabelsfalse
max5
spacescom.atlassian.confluence.content.render.xhtml.model.resource.identifiers.SpaceResourceIdentifier@957
showSpacefalse
sortmodified
reversetrue
typepage
cqllabel in ( "haproxy" , "certificate" , "ssl" ) and type = "page" and space = "KB"
labelsSSL certificate haproxy

...