Modern browsers like "chrome" Chrome require you to have more secure certificates with 3072 bits / sha256 and higher encryption. In order for HAproxy to support multiple storage domains, we need to enable additional extensions and include subject alternate names to the certificate.
Info |
---|
These steps are meant to be used on CentOS 6/7 OS. |
Instructions
Please follow Complete these steps exactlycarefully:
- First we need to edit Edit the SSL configuration:
/etc/pki/tls/openssl.cnf
- in
In the section "
uncomment[ req ]
", add oruncomment this line:
Code Block [ req ] req_extensions = v3_req
Immediately below, add the following
just underneath:
```Code Block [ v3_req ]
subjectAltName = @alt_names
[ alt_names ]
DNS.1 = example.demo.sales.local
```DNS.2 = master.acme.org
- Note: You can add Add as many alternative names as you wish needed to the
alt_names
section. - You may optionally also wish to fill in (optional) Set the other defaults as desired:
countryName_default
,localityName_default
etc, .. if you want to see sensible defaults.
- in
Generate a private key:
Code Block openssl genrsa -des3 -out YOURDOMAIN.key 3072
Generate a CSR key with the newly created private key:
Code Block openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr -config /etc/pki/tls/openssl.cnf -sha256 -newkey rsa:3072
Generate the final certificate:
Code Block openssl x509 -req -sha256 -days 3650 -in YOURDOMAIN.csr -signkey YOURDOMAIN.key -out YOURDOMAIN.crt -extensions v3_req -extfile /etc/pki/tls/openssl.cnf
- Combine both
YOURDOMAIN.key
andYOURDOMAIN.crt
into a singleYOURDOMAIN.pem
file and configure haproxy HAproxy to use it. - Now you can restart Restart the HAproxy service.
- From a Windows Client/Server, connect with Chrome , at first it will say its an untrusted certificate, download it locally and install it by double-clicking on client or server, navigate to the secure URI with Chrome.
- At first, it will say it's an untrusted certificate. Download the certificate locally, then double-click it to install it.
- Restart the browser, and navigate to the secure URI, you . The browser should now see the browser accept the certificate.
Related articles
Filter by label (Content by label) | ||||||||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...