The certificates are located in:
/etc/haproxy/haproxy.pem
The correct permissions are 400. (read only for root) and can be set as follows:
chmod 400 haproxy.pem
The file contains Sections:
Note
certificate chain:
end_entity_cetificate.crt
intermediate_certificate.crt
root_certificate.crt
Private Key
private_key.key
The end entity certificate and the matching private key are mandatory
haproxy.pem
- end_entity_cetificate.crt
- intermediate_certificate.crt
- root_certificate.crt
- private_key.key
Command to generate the haproxy.pem file
$ cat end-entity.crt intermediate_certificate.crt root_certificate.crt private-key.key > haproxy.pem
- Make sure the private key is not corrupted
$ openssl rsa -check -noout -in private_key.key
If the output “RSA key ok“ then the private key is correct.
- Make sure the end entity certificate and the private key match together
Calculate the modulus of the of the private key
$ openssl rsa -modulus -noout -in private_key.key | openssl md5
Calculate the modulus of the server certificate
$ openssl x509 -modulus -noout -in end_entity_certificate.crt| openssl md5
If both outputs are identical then the private key matches to the end entity certificate.
- The end entity certificate muss be in the first position and the matching private key muss be in the last position
- The intermediate(s) and the root certificate are optional. In case they are included, the intermediate(s) certificates muss before the root certificate
- Make sure the end of line (EOL) in the file are Linux EOL (LF). Windows EOL (CR LF) or Macintosh EOL (CR) will fail, because the Load Balancer is a Linux distribution.
- You can check the content (Check the Validity) after with this command:
$ openssl x509 -text -in haproxy.pem
-----BEGIN CERTIFICATE----- MIIEzjCCA7agAwIBAgISESGiWLxseXetsJGbfZKEfehiMA0GCSqGSIb3DQEBCwUA MEwxCzAJBgNVBAYTAkJFMRkwFwYDVQQKExBHbG9iYWxTaWduIG52LXNhMSIwIAYD ... -----END CERTIFICATE----- -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAsDGatsqSubHWmDG2IOVbocgwJfX9dB3EtXFw6HN87zDvAvvE 9KUsDqMQiU2+aORZapzhl0oL1cfznPpQYyo4WGprQiNyL82TTxeWhCNRnBv4tnJw ... -----END RSA PRIVATE KEY-----
The minimum is that the certificate for the load balancer and private key are included. The file is referenced in haproxy.cfg:
frontend acdportal_https mode http bind :443 ssl crt /etc/haproxy/haproxy.pem #verify optional
If an intermediate certificate must be inserted (example sales force if the certification chain is not known in SalesForce), this can be done as follows
- Right mouse click on the certification in the browser:
- Display details of the certificate:
- view certificate
- Display intermediate certificate:
- Save as file:
- In base 64 format:
#
- Save to the local computer:
Then edit the file with a text editor, then copy the content of the intermediate certificate into the haproxy.pem file at the very bottom.
Then:
service haproxy reload
Converting pfx Certificates to .pem Format
The following command can be used to convert a .pfx certificate file to .pem Format (the password for the certificate will be required):
openssl pkcs12 -in acd.cg.internal.pfx -out /root/haproxy.pem -nodes