OVERVIEW
Zen Load Balancer is able to manage HTTPS connections (HTTP Profile), so the system administrator must to create their own certificates (self-signed certificates) or to acquire Signed Certificates by a Certificate Authority, in both cases the certificate must to be built in PEM format.
The Secure Certificate must be created without password and the keys and CSR must be generated in the server to be secured.
Positives SSL are ready to go in PEM format but Rapid SSL needs to be converted as each file contains the cert, the intermediate CA and the root CA separated.
REQUIREMENTS
The package openssl should be installed in order to generate the keys in the server, in our case will be the Zen Load Balancer instance which should be already installed.
First, generate the key without passphrase.
openssl genrsa -out host_domain_com.key 2048
Then, generate the Certificate Signed Request (.csr) using the generated key (.key) as input.
openssl req -new -key host_domain_com.key -out host_domain_com.csr
Once the certificate and intermediate CA files are delivered, ensure to get the issuer root certificate.
All separated files need to be in PEM format: Server Certificate, Intermediate Certificate and Root CA Certificate. If it isn’t, convert the file with the following command:
openssl x509 -in certFileName.cer -outform PEM -out convertedCertFileName.pem
Finally, we’ve the Private Key, the Certificate issued, the Intermediate Certificate and the Root CA Certificate. All these file contents should be combined to create the PEM file in UNIX format.
GENERATE CERTIFICATE IN PEM FORMAT
The PEM certificate must to be built with the following structure.
-----BEGIN RSA PRIVATE KEY----- Private Key (without passphrase) -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- Certificate (CN=www.mydomain.com) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Intermediate (Intermediate CA, if exists) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- Root (ROOT CA, who signs the Certificate) -----END CERTIFICATE-----
To create a correct PEM structure, it’s needed to concatenate the different file contents generated in the step above with the separations:
-----BEGIN RSA PRIVATE KEY----- uiMTxBQnK9ApC5eq1mrBooECgYB4925pDrTWTbjU8bhb/7BXsjBiesBBVO43pDYL 1AOO5EEikir239UoFm6DQkkO7z4Nd+6Ier9fncpN1p1EZtqPxT64nsUTNow/z1Pp nUVxhqt4DT+4Vp5S7D9FQ+HagbhVInQXKXtT7FNFhpIxpRy512ElSuWvrELiZOwe -----END RSA PRIVATE KEY----- -----BEGIN CERTIFICATE----- wYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3NsLWNybC5n ZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFA8nu+rbiNqg DYmhNE0IgXx6XRHiMAwGA1UdEwEB/wQCMAAwSQYIKwYBBQUHAQEEPTA7MDkGCCsG gOYD8kmKOsxLRWeZo6Tn8 -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1 jOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y 7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh 1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4 -----END CERTIFICATE-----
It’s mandatory to convert the PEM entire file in UNIX format.
It’s available the certificate named zencert.pem for testing purposes in order to be used with HTTPS profile farms.