How to import your own SSL cert to a Load Balancer

Overview

The managed Load Balancer service supports Let’s Encrypt SSL/TLS certificates by default.

It is possible to import your own SSL certificate in case you want to use either a self-signed certificate or to increase the trust level issued by another certificate authority (CA).

Requirements

Creating a Self-Signed Certificate

Important: Self-signed certificates can be detected as non-trustworthy by web browsers and it is not recommended to use them in a production environment.
Scaleway does not sell SSL certificates, but you can buy one directly from a CA, for example to guarantee the identity of an online shop. Once you have ordered the certificate it is sufficient to import the keys provided to secure the connection to your Load Balancer. If you have purchased a certificate, you can skip directly to Uploading the Certificate

In case you want to manage the creation and administration of the certificate yourself, you can use a self-signed certificate, which can be generated from your computer. This can be useful if you want to test or develop solutions.

  1. You need to have a common name for your certificate. The common name can be either a fully qualified domain name (i.e server.example.com) or the IP address of the load balancer (i.e 192.168.55.86).

  2. Open a text editor and create a file ssl.conf

[ req ]
default_bits       = 4096
distinguished_name = req_distinguished_name
req_extensions     = req_ext

[ req_distinguished_name ]
countryName                 = Country Name (2 letter code)
countryName_default         = FR
stateOrProvinceName         = State or Province Name (full name)
stateOrProvinceName_default = Ile-de-France
localityName                = Locality Name (eg, city)
localityName_default        = Paris
organizationName            = Organization Name (eg, company)
organizationName_default    = MyCompanyName
commonName                  = server.example.com
commonName_max              = 64
commonName_default          = localhost
emailAddress                = Email Address (eg, admin@example.com)
emailAddress_max            = 64
emailAddress_default        = me@email.com

[ req_ext ]
subjectAltName = @alt_names

[alt_names]
DNS.1   = server.example.com
DNS.2   = alias.example.com

Enter your main domain name as commonName in the configuration file. The domain names listed within the [alt_names] must be edited also so that they match the domain name for which you want to issue the certificate. If you want to add multiple domains to the certificate, add them in this section as DNS.2, DNS.3 and so on. Save the file and exit the text editor once the configuration matches your setup.

  1. Generate a 4096-bit private key using openssl:
openssl genrsa -out private.key 4096
  1. Generate a certificate signing request (CSR) using openssl:
openssl req -new -sha256 -out private.csr -key private.key -config ssl.conf
  1. Check the CSR using the following openssl command:
openssl req -text -noout -in private.csr

You should see two lines similarly to these examples:

  • X509v3 Subject Alternative Name: DNS:server.example.com
  • Signature Algorithm: sha256WithRSAEncryption
  1. If everything is looking fine, generate the certificate with the following command. The value -days 365 can be edited towards your requirements and specifies the validity of the certificate:
openssl x509 -req -sha256 -days 365 -in private.csr -signkey private.key -out ssl.crt -extensions req_ext -extfile ssl.conf
  1. You will now find two files in your directory:
  • private.key contains your private key information
  • ssl.crt contains the information about your SSL certficate.

Uploading the Certificate

Once the certificate is generated you can upload it to your Load Balancer using the Scaleway console. If you have purchased an certificate from a certificate authority, you have received the private key, the certificate and optionally certificate authorities from them. Make sure you have all required information available before continuing.

  1. Connect yourself to your Scaleway Console

  2. Click on Load Balancer in the menu on the left.

  3. Click on the Load Balancer you want to edit.

  4. The Load Balancer Information page displays. Click on the SSL Certificates tab on top of the page.

  5. Click on + Create a SSL certificate to enter the SSL configuration wizard.

  6. The configuration wizard displays:

  1. By default the configuration for Let’s Encrypt displays. To upload your own certficate, click on the Select a type drop-down menu and select Import certificate.

  2. Enter a name for your certificate and copy the content of the files private.key and ssl.crt into the textbox. If you got a chain or intermediate certificate from your CA, enter the content of the file after the private key and the primary certificate:

When you have purchased a certificate from a trusted certificate authority, you will not necessarily get an already “bundled” file that you can simply copy and paste into the text box. You may have to bundle the required file by yourself.

However, many authorities do provide an already bundled file. If you got a pem file you can copy/paste all of its content. If you received a series of cert, key, chain or some similar file names you must bundle them by yourself by copy/pasting the contents of each of the files. The final result should look like this example:

-----BEGIN PRIVATE KEY-----
(Private Key: private.key contents)
-----END PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
(Primary SSL certificate: ssl.crt contents)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
(OPTIONALLY: Intermediate certificate: chain.crt contents)
-----END CERTIFICATE----
  1. Click on Create SSL certificate to validate the configuration and to save the certificate.

  2. The newly added SSL certificate displays in the list of your SSL certificates and is ready to be added to your frontends:

Discover a New Cloud Experience

Deploy SSD Cloud Servers in seconds.