HAProxy ALOHA Documentation 15.5

Certificate Management

HAProxy ALOHA can store SSL certficates that you can then use in your load balancer configuration to secure the traffic between clients and your services.

Create a public-facing certificate

To get a public-facing certificate, you must first create a certificate signing request, which you will send to a Certificate Authority. The Certificate Authority will then return to you a signed certificate.

  1. From the SSL tab, click New.

  2. Give the certificate a name by setting the Choose SSL certificate name field. Only letters, numbers and underscores are allowed.

  3. Set a private key for your certificate by either:

    • Generating a new key by setting the Generate a Private Key bits field and then clicking Generate.

    • Selecting Upload a Private Key and then either pasting your key into the box or uploading it, then clicking Upload.

  4. The Build Certificate Request dialog displays. Set each of the properties under Build Certificate Request, then click Request.

  5. Copy and send the certificate signing request to your Certificate Authority.

  6. When you receive the signed server certificate from the Certificate Authority, click Edit edit_icon on the row of the incomplete certificate signing request.

  7. Paste your certificate and then click Upload.

    You can also paste below the certificate all intermediate certificates, if any.

Create a self-signed certificate

A self-signed certificate is not signed by a trusted Certificate Authority, which means that client browsers will not trust it by default. However, a self-signed certificate is convenient for internal, test environments or when internal users are fine with clicking past the browser's warnings.

  1. From the SSL tab, click New.

  2. Give the certificate a name by setting the Choose SSL certificate name field.

  3. Set the size of the certificate's private key by setting the Generate a Private Key bits field, then click Generate.

  4. The Build Certificate Request dialog displays. Set each of the properties under Build Certificate Request, then click Request.

  5. The certificate signing request information displays. Click Sign to self-sign the certificate.

Upload an existing certificate

You can upload a certificate that you already have.

  1. From the SSL tab, click New.

  2. Give the certificate a name by setting the Choose SSL certificate name field.

  3. Select Upload a Private Key and then either:

    • Paste your key into the box and then click Upload.

    • Browse to your key file and then click Upload.

  4. The Build Certificate Request dialog displays. Select Upload Certificate and then either:

    • Paste your existing certificate into the box and then click Upload.

    • Browse to your certificate file and then click Upload.

Note that your key file and certificate file must be separate files.

Update a certificate

You can update an existing certificate, such as to replace one that has expired.

  1. From the SSL tab, click Edit edit_icon on the row you want to update.

    • If the former and newer certificates use the same private key, then in the Certificate text area, replace the former certificate with the content of the new one. Or, upload a new certificate.

    • If the former and newer certificates use different private keys, you must:

      1. Click Delete delete_icon on the row you want to delete. This is the certificate and key that you will re-upload.

      2. Upload the updated certificate and new private key.

  2. From the Services tab, reload reload_icon the haproxy service.

    If an error occurs, restart restart_icon the service, which will revert to using the former certificates and configuration.

  3. To update the certificates on all cluster members, click Push service haproxy configuration on ALOHA peer push_icon.

List certificates

You can display existing Server Certificates and their statuses.

  1. Select the SSL tab in the Web UI.

    The following information about existing certificates displays.

    Column

    Description

    Name

    Label used to reference this certificate in HAProxy ALOHA's configuration

    Domain

    Common Name (or CN) of the certificate

    Not Before

    Date from when the certificate is valid

    Not After

    Date until when the certificate is valid. When a certificate expires, this date appears in bold red.

    Verify

    State of the validation of the certificate.

    The following states are available:

    Broken chain

    When a certificate chain is incomplete or the full chain cannot be validated (outdated intermediary, etc.)

    CA only (no key)

    When a certificate can be used to validate client certificates only.

    Incomplete

    When either the private key and the certificate or the certificate is missing

    Valid

    When everything is fine and safe

    Self-Signed

    When the certificate was generated and signed by HAProxy ALOHA itself


Next up

Encryption Strategies