Modern browsers like "chrome" require you to have more secure certificates with 3072 bits / sha256 and higher encryption. In order for HAproxy to support multiple storage domains we need to enable additional extensions and include subject alternate names to the certificate.
These steps are meant to be used on CentOS 6/7 OS
Instructions
Please follow these steps exactly:
- First we need to edit /etc/pki/tls/openssl.cnf
- in the section "[ req ]" add or uncomment req_extensions = v3_req
- add the following just underneath
```
[ v3_req ]
subjectAltName = @alt_names[ alt_names ]
DNS.1 = example.demo.sales.local
DNS.2 = master.acme.org
``` - Note: You can add as many alternative names as you wish to the alt_names section.
- You may optionally also wish to fill in countryName_default , localityName_default etc.. if you want to see sensible defaults.
- Generate a private key: openssl genrsa -des3 -out YOURDOMAIN.key 3072
- Generate a CSR key with the newly created private key: openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr -config /etc/pki/tls/openssl.cnf -sha256 -newkey rsa:3072
- Generate the final certificate: openssl x509 -req -sha256 -days 3650 -in YOURDOMAIN.csr -signkey YOURDOMAIN.key -out YOURDOMAIN.crt -extensions v3_req -extfile /etc/pki/tls/openssl.cnf
- Combine YOURDOMAIN.key and YOURDOMAIN.crt into a single YOURDOMAIN.pem file and configure haproxy to use it.
- Now you can restart HAproxy service.
- From a Windows Client/Server, connect with Chrome , at first it will say its an untrusted certificate, download it locally and install it by double-clicking on it.
- Restart the browser and navigate to the secure URI, you should now see the browser accept the certificate.
Related articles