SSL

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols that encrypt messages between a client and server so that no one can eavesdrop on the communication. These protocols also ensure that the client can trust that they are connecting to the server they intended to, since the server must present a cryptographic certificate encoded with its domain name, and that certificate must have been signed by a trusted third-party certificate authority.

In this section, you will learn how to manage SSL/TLS certificates and keys in HAProxy ALOHA. HAProxy ALOHA can store SSL certficates that you can then use in your load balancer configuration to secure the traffic between clients and your services.

Create a public-facing certificate Jump to heading #

To get a public-facing certificate, you must first create a certificate signing request, which you will send to a Certificate Authority. The Certificate Authority will then return to you a signed certificate.

1. From the SSL tab, click New.

2. Give the certificate a name by setting the Choose SSL certificate name field. Only letters, numbers and underscores are allowed.

3. Set a private key for your certificate by either:

   • Generating a new key by setting the Generate a Private Key bits field and then clicking Generate.

   • Selecting Upload a Private Key and then either pasting your key into the box or uploading it, then clicking Upload.

     • Use at least 2048 bits for public-facing certificates.
     • Your private key will not be sent to the Certificate Authority with your certificate signing request. You should keep your key secret.

4. The Build Certificate Request dialog displays. Set each of the properties under Build Certificate Request, then click Request.

5. Copy and send the certificate signing request to your Certificate Authority.

6. When you receive the signed server certificate from the Certificate Authority, click Edit on the row of the incomplete certificate signing request.

7. Paste your certificate and then click Upload. You can also paste below the certificate all intermediate certificates, if any.

Create a self-signed certificate Jump to heading #

A self-signed certificate is not signed by a trusted Certificate Authority, which means that client browsers will not trust it by default. However, a self-signed certificate is convenient for internal, test environments or when internal users are fine with clicking past the browser’s warnings.

1. From the SSL tab, click New.

2. Give the certificate a name by setting the Choose SSL certificate name field.

3. Set the size of the certificate’s private key by setting the Generate a Private Key bits field, then click Generate.

4. The Build Certificate Request dialog displays. Set each of the properties under Build Certificate Request, then click Request.

5. The certificate signing request information displays. Click Sign to self-sign the certificate.

Upload an existing certificate Jump to heading #

You can upload a certificate that you already have. Note that your key file and certificate file must be separate files.

1. From the SSL tab, click New.

2. Give the certificate a name by setting the Choose SSL certificate name field.

3. Select Upload a Private Key and then either:

   • Paste your key into the box and then click Upload.
   • Browse to your key file and then click Upload.

4. The Build Certificate Request dialog displays. Select Upload Certificate and then either:

   • Paste your existing certificate into the box and then click Upload.
   • Browse to your certificate file and then click Upload.

Update a certificate Jump to heading #

You can update an existing certificate, such as to replace one that has expired.

• If the former and newer certificates use the same private key:

  1. From the SSL tab, click Edit on the row you want to update.

  2. In the Certificate text area, replace the former certificate with the content of the new one. Or, upload a new certificate.

  3. From the Services tab, reload the haproxy service. If an error occurs, restart the service, which will revert to using the former certificates and configuration.

  4. To update the certificates on all cluster members, click Push service haproxy configuration on ALOHA peer.

• If the former and newer certificates use different private keys:

  1. From the SSL tab, click Edit on the row you want to update.

  2. Click Delete on the row you want to delete. This is the certificate and key that you will re-upload.

  3. Upload the updated certificate and new private key.

  4. From the Services tab, reload the haproxy service. If an error occurs, restart the service, which will revert to using the former certificates and configuration.

  5. To update the certificates on all cluster members, click Push service haproxy configuration on ALOHA peer.

List certificates Jump to heading #

You can display existing Server Certificates and their statuses by selecting the SSL tab in the Web UI.

The following information about existing certificates displays:

The Verify column can show any of the following states:

Use an SSL certificate Jump to heading #

You can refer to your certificate in the load balancer configuration by the Name shown on the SSL tab. For example, for a certificate named mycert, on the LB Layer7 tab you would use:

haproxy
frontend www
  bind :443 ssl crt mycert

haproxy
frontend www
  bind :443 ssl crt mycert

For more examples, see HAProxy configuration tutorials - SSL / TLS.