Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

When your SSL certificate expires, it's crucial to replace it promptly to ensure secure communication between clients and your HAProxy server. This guide outlines the steps to deploy a new SSL certificate on HAProxy, including extracting the private key from a certificate.pfx file and converting it to a certificate.pem file using OpenSSL. Additionally, it explains the format of PEM certificates required for HAProxy, including the certificate, intermediate certificate, private key, and root certificate.

Step 1: Extracting Private Key from certificate.pfx

  1. Install OpenSSL: Ensure OpenSSL is installed on your system. Most Linux distributions come with OpenSSL pre-installed. If not, you can install it using your package manager.

  2. Extract Private Key: Use the following OpenSSL command to extract the private key from the certificate.pfx file:

    openssl pkcs12 -in certificate.pfx -nocerts -out private.key

    Replace certificate.pfx with the path to your certificate file.

  3. Provide Password: You will be prompted to enter the password for the .pfx file. Enter the password when prompted.

  4. Verify Private Key: After extraction, verify that the private key is correctly generated by checking the contents of the private.key file.

Step 2: Converting certificate.pfx to certificate.pem

  1. Convert to PEM Format: Use the following OpenSSL command to convert the .pfx file to a .pem file:

    openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem

    This command extracts the certificate file without the private key.

  2. Provide Password: You will be prompted to enter the password for the .pfx file. Enter the password when prompted.

  3. Verify PEM Certificate: After conversion, verify that the certificate.pem file contains the SSL certificate.

Step 3: Format of PEM Certificate for HAProxy

For HAProxy, you need to combine the SSL certificate, intermediate certificate (if any), private key, and root certificate (optional) into a single PEM file.

  1. Concatenate Certificates: Concatenate the certificate.pem, private.key, and intermediate/root certificates (if any) into a single .pem file:

    cat certificate.pem private.key [intermediate.crt] [root.crt] > haproxy.pem

    Replace [intermediate.crt] and [root.crt] with the filenames of intermediate and root certificates if they are separate files. Otherwise, omit them.

  2. Verify PEM File: Verify the contents of the haproxy.pem file to ensure all certificates are concatenated correctly.

Step 4: Deploying New SSL Certificate to HAProxy

  1. Backup Current Configuration: Before proceeding, backup your current HAProxy configuration file to avoid any potential issues.

  2. Replace SSL Certificate: Update your HAProxy configuration file to point to the new haproxy.pem file containing the updated SSL certificate.

  3. Reload HAProxy Configuration: Reload HAProxy to apply the changes:

    sudo systemctl reload haproxy

    Replace haproxy with the name of your HAProxy service if different.

  4. Verify SSL Configuration: Test your HAProxy configuration to ensure that the SSL certificate is correctly applied and that there are no errors:

    sudo haproxy -c -f /etc/haproxy/haproxy.cfg

    Replace /etc/haproxy/haproxy.cfg with the path to your HAProxy configuration file.

  5. Monitor HAProxy Logs: Monitor HAProxy logs for any SSL-related errors or warnings to ensure smooth operation.

By following these steps, you can successfully deploy a new SSL certificate to HAProxy, ensuring secure communication between clients and your server. Remember to schedule certificate renewals in advance to prevent future expiration issues.

  • No labels

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.