Add an SSL/TLS certificate

How to add a certificate to your Load Balancer

Published on 20 October 2022

You can add a certificate to your Load Balancer’s frontend to enable the Load Balancer to encrypt/decrypt incoming traffic, necessary for SSL bridging and SSL offloading configurations.

Tip:

Originally, the initial encryption protocol used with HTTPS was the Secure Sockets Layer (SSL). However, it is now standard for its successor: Transport Layer Security (TLS) to be used. Transport Layer Security is a more up to date security protocol designed to increase privacy and data security for communications over the Internet.

You may therefore hear certificates referred to as “SSL certificates”, “TLS certificates” or “SSL/TLS certificates”. These are essentially all the same thing.

When your Load Balancer’s frontend has a certificate, clients can securely connect to it via an encrypted connection. The underlying process is as follows:

The client attempts to securely connect to the Load Balancer and asks it to identify itself.
The Load Balancer sends the client a copy of its certificate in response.
The client attempts to verify the certificate, and signals to the Load Balancer if it is satisfied it is trustworthy
The Load Balancer returns an acknowledgment to start an encrypted session.
Encrypted data is sent to the Load Balancer

Scaleway Load Balancer allows you to add certificates in two different ways:

Generate a Let’s Encrypt certificate directly from the console.
Import an existing certificate, which can be from a Certificate Authority (CA) other than Let’s Encrypt, or be a self-signed certificate.

How to generate and add a Let’s Encrypt certificate

Requirements:

You have an account and are logged into the Scaleway console
You have created a Load Balancer
You have a domain name, which points to your Load Balancer’s IP address

Click Load Balancers in the Network section of the Scaleway Console side menu. Click the Load Balancer you want to configure. The Load Balancer information page displays.
Click the Load Balancer you want to add a certificate to.
Click the SSL Certificates tab.
Click Create a SSL certificate. A pop-up displays:
Enter the required information:
- Give a name for your certificate, or use the auto-generated name suggested for you.
- Select the Let’s Encrypt certificate type.
- Enter the main domain name associated with your Load Balancer eg my-website.com
- Enter additional domain names for the certificate using the Subject Alternative Name box if necessary.
Click Create SSL certificate.

You are returned to the SSL certificates tab where your newly-created certificate now appears. You must now attach the certificate to your frontend:
Click the Frontends tab.
Click the three dot menu next to the frontend you want to add the certificate to, then click Edit.
Select the certificate you just created from the SSL Certificate(s) dropdown, then click Edit Frontend.

Your certificate is added to your Load Balancer’s frontend.

How to import a certificate

Requirements:

You have an account and are logged into the Scaleway console
You have created a Load Balancer Either:
- You have an existing certificate issued by a Certificate Authority, or
- You have generated a self-signed certificate

Scaleway Load Balancers allow you to import third party SSL certificates. These are certificates issued by a Certificate Authoriy (CA) other than Let’s Encrypt. Depending on the CA, they may offer extended validation certificates which require full verification of the requesting entity’s legal identity before issuing the certificate. These certificates can be useful for websites that require a high trust level, like e-commerce or government websites, and can be easily imported into the Load Balancer configuration from the management console.

Alternatively you can also choose to import a self-signed certificate, not signed by any publically-trusted Certificate Authority, but perhaps suitable for development and testing purposes, or internal use.

Click Load Balancers in the Network section of the Scaleway Console side menu. Click the Load Balancer you want to configure. The Load Balancer information page displays.
Click the Load Balancer you want to add a certificate to.
Click the SSL Certificates tab.
Click Create a SSL certificate. A pop-up displays:
Enter the required information:
- Give a name for your certificate, or use the auto-generated name suggested for you.
- Select Import Certificate under type.
- Paste the full PEM-formatted certificate into the box provided. Include the entire certificate chain with public key, private key, and (optionally) Certificate Authorities. You may have received this information either in a combined file or in several separate files from your CA. Contact them for more details on how to combine the information if you received the chain divided into multiple files.
Click Create SSL certificate.

You are returned to the SSL certificates tab where your newly-created certificate now appears. You must now attach the certificate to your frontend:
Click the Frontends tab.
Click the three dot menu next to the frontend you want to add the certificate to, then click Edit
Select the certificate you just created from the SSL Certificate(s) dropdown, then click Edit Frontend.

Your certificate is added to your Load Balancer’s frontend.

How to create a self-signed certificate

If you are using the import certificate option, you may wish to generate your own self-signed certificate to import to your Load Balancer. These certificates are not signed by any publically-trusted Certificate Authority, but may be suitable for development and testing purposes, or internal use. A self-signed certificate can be issued easily on any computer using the openssl tool. Follow these steps to generate a self-signed certificate:

From your computer, open up a command line terminal and run the following command to generate a private key file and a CSR file:
```
openssl req -new -newkey rsa:4096 -nodes -keyout private_key.txt -out csr.txt -subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyInternetCompanyLTD/CN=www.example.com"
```
The following subcommands are used with the openssl base command:
- req: This subcommand specifies the use of the X.509 certificate signing request (CSR) management.
- newkey rsa: 4096: This subcommand specifies the creation of a new key and certificate at the same time using a 4096 bit long RSA key.
- nodes: This option tells OpenSSL to skip the securisation of the certificate using a passphrase.
- keyout: This subcommand defines the location and file name of the private key file
- out: This specifies the path and file name of the generated certificate request.
- sub: The subject for the certficate. Modify the values of these subcommand to your requirements. The Common Name (CN) represents the domain name you are issuing the certificate for.
Generate a file containing all Subject Alternative Names (SAN) for the certificate. These include websites, IP addresses, common names, etc. They are protected by a single SSL Certificate. To do this, create a new file called alt_names.txt, open it in a text editor and edit the file as follows. Make sure to add all domain names and IP addresses that should be protected by the certificate.
```
subjectAltName=IP:10.100.0.1,IP:192.168.0.1,DNS:myserver.mydomain.com,DNS:otherserver.otherdomain.com,EMAIL:name@mydomain.com,EMAIL:othename@otherdomain.com
```
Save the file and exit the text editor.

Generate the self-signed certficate using the openssl tool:

openssl x509 -req -extfile alt_names.txt -sha256 -days 365 -in csr.txt -signkey private_key.txt  -out certificate.txt

Check that you have the following files in your folder with the ls command.
- csr.txt: The certficate request
- private_key.txt: The private key for the certificate
- certificate.txt: The public key for the certificate
Combine the private key and certificate into a .pem file, which is the format required in the Scaleway console when adding the certificate to the Load Balancer:
```
cat private_key.txt csr.txt > cert.pem
```
The cert.pem file is created.