1. Home
  2. Framework
  3. Creating a PEM (SSL Certificate) for the Balancer
  1. Home
  2. Balancer
  3. Creating a PEM (SSL Certificate) for the Balancer
  1. Home
  2. Misc
  3. Creating a PEM (SSL Certificate) for the Balancer

Creating a PEM (SSL Certificate) for the Balancer

What is a PEM?

One of the most widely used features of our Load Balancer is the ability to offload SSL traffic by terminating HTTPS connections on the balancer itself. This has a variety of benefits including; centralized certificate management, offloading CPU intensive decryption/encryption tasks from your web servers and enabling the balancer to make complex layer-7 routing decisions on encrypted workloads.

The balancer requires the certificates to be in the .pem format. A PEM is essentially just the certificate, key, as well as any intermediate certificates (if required) all combined into a single file.
You can simply combine all of these into a single file with the extension .pem.

Creating your PEM file

This article provides 2 methods for creating the required PEM file.
  1. Using an SSL certificate provided by a CA authority.
  2. Using your own self-signed certificate – For development purposes; not recommended for use in production.

1. Certificate Authority (CA) Certificate

See our Creating a new key and CSR for SSL document for how to create a key and CSR files for sending to a CA for certification generation purposes.
Please add your key and supplied CA certificate files’ content into a combined pem file. Also, include any intermediate certificates.

It should look like this:

-----BEGIN RSA PRIVATE KEY-----

(REQUIRED: Your Private Key: example.key)

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

(REQUIRED: Your Primary SSL certificate: example.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(OPTIONALLY: Your intermediate certificate: NetworkSolutions_CA.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(OPTIONALLY: Your Root certificate: TrustedRoot.crt)

-----END CERTIFICATE-----

Remove Passphrase from PEM key

Remember you must remove the passphrase from your .key file before adding it to the PEM!

The following openssl command can help with this:

openssl rsa -in example.key -out example.key

2. Self Signed Certificate – Using Openssl

The following command can be used to generate a key file and a self-signed certificate:

openssl req -x509 -newkey rsa:4096b -sha256 -keyout private_key.key -out server_cert.crt -days 365 -subj '/CN=linux-server' -nodes
  • -nodes – refers to no DES (Data Encryption Standard) – key file produced will not be encrypted.
  • -subj “/C=US/ST=Oregon/L=Portland/O=Company Name/OU=Org/CN=www.example.com” – include this option to avoid being prompted for information during key and certificate creation. Useful for generating keys and certificates during automated processes.
  • -sha256 – includes the option to use the SHA-2 hash algorithm

For more advanced options, like specifying subject alternative DNS names and IP, the following command can be used:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes \
-keyout example.key -out example.crt -extensions san -config \
<(echo "[req]";
echo distinguished_name=req;
echo "[san]";
echo subjectAltName=DNS:sample.com,DNS:sample.net,IP:172.0.10.1) -subj /CN=example.com

An alternative way to specify advanced configuration options is by using a config file. The config included in the CLI command above is put in a file as follows:

[req]
distinguished_name=req
[san]
subjectAltName=DNS:sample.com,DNS:sample.net,IP:172.0.10.1

The filename is then included in the CLI command as shown below:

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout example.key -out example.crt -extensions san -config config.test -subj /CN=example.com

The balancer requires that the pem-formatted key and certificate be combined into one pem file. Concatenate the files by running:

cat example.crt example.key > example-combined.pem

The combined file should look like this:

-----BEGIN RSA PRIVATE KEY-----

(REQUIRED: Your Private Key: example.key)

-----END RSA PRIVATE KEY-----

-----BEGIN CERTIFICATE-----

(REQUIRED: Your Primary SSL certificate: example.crt)

-----END CERTIFICATE-----

Testing

You can test your SSL install by using our free tool.
Updated on October 16, 2019


Was this article helpful?

Related Articles