1. Home
  2. Framework
  3. Creating a PEM (SSL Certificate) for the Balancer
  1. Home
  2. Balancer
  3. Creating a PEM (SSL Certificate) for the Balancer
  1. Home
  2. Misc
  3. Creating a PEM (SSL Certificate) for the Balancer

Creating a PEM (SSL Certificate) for the Balancer

One of the most widely used features of our Load Balancer is the ability to offload SSL traffic by terminating HTTPS connections on the balancer itself. This has a variety of benefits including; centralized certificate management, offloading CPU intensive decryption/encryption tasks from your web servers and enabling the balancer to make complex layer-7 routing decisions on encrypted workloads.

What is a PEM?

The balancer requires the certificates to be in the .pem format. A PEM is essentially just the certificate, key, as well as any intermediate certificates (if required) all combined into a single file.
You can simply combine all of these into a single file with the extension .pem.

Creating your PEM file

This article provides 2 methods for creating the required PEM file.
  1. Using an SSL certificate provided by a CA authority.
  2. Using your own self-signed certificate – For development purposes; not recommended for use in production.

1. Certificate Authority (CA) Certificate

See our Creating a new key and CSR for SSL document for how to create a key and CSR files for sending to a CA for certification generation purposes.
Please add your key and supplied CA certificate files’ content into a combined pem file. Also, include any intermediate certificates.

It should look like this:

-----BEGIN RSA PRIVATE KEY-----

(REQUIRED: Your Private Key: example.key)

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

(REQUIRED: Your Primary SSL certificate: example.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(OPTIONALLY: Your intermediate certificate: NetworkSolutions_CA.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(OPTIONALLY: Your Root certificate: TrustedRoot.crt)

-----END CERTIFICATE-----

Remove Passphrase from PEM key

Remember you must remove the passphrase from your .key file before adding it to the PEM!

The following openssl command can help with this:

openssl rsa -in example.key -out example.key

2. Self Signed Certificate – Using Openssl

The following command can be used to generate a key file and a self-signed certificate:

openssl req -x509 -newkey rsa:4096b -sha256 -keyout private_key.key -out server_cert.crt -days 365 -subj '/CN=linux-server' -nodes
  • -nodes – refers to no DES (Data Encryption Standard) – key file produced will not be encrypted.
  • -subj “/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com” – include this option to avoid being prompted for information during key and certificate creation. Useful for generating keys and certificates during automated processes.
  • -sha256 – includes the option to use the SHA-2 hash algorithm

For more advanced options, like specifying subject alternative DNS names and IP, the following command can be used:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -extensions san -config \
<(echo "[req]";
echo distinguished_name=req;
echo "[san]";
echo subjectAltName=DNS:sample.com,DNS:sample.net,IP:172.0.10.1) -subj /CN=example.com

An alternative way to specify advanced configuration options is by using a config file. The config included in the CLI command above is put in a file as follows:

[req]
distinguished_name=req
[san]
subjectAltName=DNS:sample.com,DNS:sample.net,IP:172.0.10.1

The filename is then included in the CLI command as shown below:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout example.key -out example.crt -extensions san -config config.test -subj /CN=example.com

The balancer requires that the pem-formatted key and certificate be combined into one pem file. Concatenate the files by running:

cat example.crt example.key > example-combined.pem

The combined file should look like this:

-----BEGIN RSA PRIVATE KEY-----

(REQUIRED: Your Private Key: example.key)

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

(REQUIRED: Your Primary SSL certificate: example.crt)

-----END CERTIFICATE-----

Testing

You can test your SSL install by using our free tool.
Updated on August 21, 2019


Was this article helpful?

Related Articles