Modern browsers like Chrome require you to have more secure certificates with 3072 bits / sha256 and higher encryption. In order for HAproxy to support multiple storage domains, we need to enable additional extensions and include subject alternate names to the certificate.
These steps are meant to be used on CentOS 6/7 OS.
Instructions
Complete these steps carefully:
- Edit the SSL configuration:
/etc/pki/tls/openssl.cnf
In the section "[ req ]", add or uncomment this line:
[ req ] req_extensions = v3_req
Immediately below, add the following:
[ v3_req ] subjectAltName = @alt_names [ alt_names ] DNS.1 = example.demo.sales.local DNS.2 = master.acme.org
- Add as many alternative names as needed to the
alt_names
section. - (optional) Set the other defaults as desired:
countryName_default
,localityName_default
, ...
Generate a private key:
openssl genrsa -des3 -out YOURDOMAIN.key 3072
Generate a CSR key with the newly created private key:
openssl req -new -key YOURDOMAIN.key -out YOURDOMAIN.csr -config /etc/pki/tls/openssl.cnf -sha256 -newkey rsa:3072
Generate the final certificate:
openssl x509 -req -sha256 -days 3650 -in YOURDOMAIN.csr -signkey YOURDOMAIN.key -out YOURDOMAIN.crt -extensions v3_req -extfile /etc/pki/tls/openssl.cnf
- Combine both
YOURDOMAIN.key
andYOURDOMAIN.crt
into a singleYOURDOMAIN.pem
file and configure HAproxy to use it. - Restart the HAproxy service.
- From a Windows client or server, navigate to the secure URI with Chrome.
- At first, it will say it's an untrusted certificate. Download the certificate locally, then double-click it to install it.
- Restart the browser, and navigate to the secure URI. The browser should now accept the certificate.
Related articles