HomeNetworkLoad BalancersHow to
Create a self-signed TLS/SSL certificate

Jump toUpdate content

How to create a self-signed TLS Certificate

Published on 26 May 2021

If you want to set up managed TLS/SSL offloading on your Load Balancer, you can do so using either Let’s Encrypt Certificates or third party TLS/SSL Certificates, generated by yourself or any other certificate authority. This document shows you how to create your own self-signed TLS certificate to use with your Load Balancer.

Transport Layer Security, or TLS for short, is a common security protocol designed to increase privacy and data security for communications over the Internet. TLS uses a digital certificate to validate the public encryption key provided by a device on the Internet with its private counterpart.

Identity and Access Management (IAM):

If you have activated IAM, you may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets
Requirements:

How to create a self-signed TLS certificate

A self-signed certificate can be issued easily on any computer using the openssl tool.

  1. Run the following command from the command line to generate a private key file and a CSR file:
    openssl req -new -newkey rsa:4096 -nodes -keyout private_key.txt -out csr.txt -subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyInternetCompanyLTD/CN=www.example.com"
    The following subcommands are used with the openssl base command:
    • req: This subcommand specifies the use of the X.509 certificate signing request (CSR) management.
    • newkey rsa: 4096: This subcommand specifies the creation of a new key and certificate at the same time using a 4096 bit long RSA key.
    • nodes: This option tells OpenSSL to skip the securisation of the certificate using a passphrase.
    • keyout: This subcommand defines the location and file name of the private key file
    • out: This specifies the path and file name of the generated certificate request.
    • sub: The subject for the certficate. Modify the values of these subcommand to your requirements. The Common Name (CN) represents the domain name you are issuing the certificate for.
  2. Generate a file containing all Subject Alternative Names (SAN) for the certificate. They include websites, IP addresses, common names, etc. They are protected by a single SSL Certificate.
  3. Create a new file called alt_names.txt, open it in a text editor and edit the file as follows. Make sure to add all domain names and IP addresses that should be protected by the certificate.
    subjectAltName=DNS:example.com,DNS:www.example.com
  4. Save the file and exit the text editor.
  5. Generate the self-signed certficate using the openssl tool:
    openssl x509 -req -extfile alt_names.txt -sha256 -days 365 -in csr.txt -signkey private_key.txt  -out certificate.txt
  6. Check that you have the following files in your folder with the ls command.
    • csr.txt: The certficate request
    • private_key.txt: The private key for the certificate
    • certificate.txt: The public key for the certificate

How to import a self-signed certificate with Scaleway Load Balancers

Follow the instructions for configuring TLS/SSL offloading using a third party TLS/SSL certificate, pasting the full PEM-formatted certificate from step 5 into the box when prompted.

The new TLS certificate displays in the list of available certificates, and you can use it with your Load Balancer.

See Also