HomeNetworkLoad BalancersHow to
Create a self-signed TLS/SSL certificate

Jump toUpdate content

How to create a self-signed TLS Certificate

Published on 26 May 2021

If you want to set up managed TLS/SSL offloading on your Load Balancer, you can do so using either Let’s Encrypt Certificates or third party TLS/SSL Certificates, generated by yourself or any other certificate authority. This document shows you how to create your own self-signed TLS certificate to use with your Load Balancer.

Transport Layer Security, or TLS for short, is a common security protocol designed to increase privacy and data security for communications over the Internet. TLS uses a digital certificate to validate the public encryption key provided by a device on the Internet with its private counterpart.

Identity and Access Management (IAM):

If you have activated IAM, you may need certain IAM permissions to carry out some actions described on this page. This means:

  • you are the Owner of the Scaleway Organization in which the actions will be carried out, or
  • you are an IAM user of the Organization, with a policy granting you the necessary permission sets

How to create a self-signed TLS certificate

A self-signed certificate can be issued easily on any computer using the openssl tool.

  1. Run the following command from the command line to generate a private key file and a CSR file:
    openssl req -new -newkey rsa:4096 -nodes -keyout private_key.txt -out csr.txt -subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyInternetCompanyLTD/CN=www.example.com"
    The following subcommands are used with the openssl base command:
    • req: This subcommand specifies the use of the X.509 certificate signing request (CSR) management.
    • newkey rsa: 4096: This subcommand specifies the creation of a new key and certificate at the same time using a 4096 bit long RSA key.
    • nodes: This option tells OpenSSL to skip the securisation of the certificate using a passphrase.
    • keyout: This subcommand defines the location and file name of the private key file
    • out: This specifies the path and file name of the generated certificate request.
    • sub: The subject for the certficate. Modify the values of these subcommand to your requirements. The Common Name (CN) represents the domain name you are issuing the certificate for.
  2. Generate a file containing all Subject Alternative Names (SAN) for the certificate. They include websites, IP addresses, common names, etc. They are protected by a single SSL Certificate.
  3. Create a new file called alt_names.txt, open it in a text editor and edit the file as follows. Make sure to add all domain names and IP addresses that should be protected by the certificate.
  4. Save the file and exit the text editor.
  5. Generate the self-signed certficate using the openssl tool:
    openssl x509 -req -extfile alt_names.txt -sha256 -days 365 -in csr.txt -signkey private_key.txt  -out certificate.txt
  6. Check that you have the following files in your folder with the ls command.
    • csr.txt: The certficate request
    • private_key.txt: The private key for the certificate
    • certificate.txt: The public key for the certificate

How to import a self-signed certificate with Scaleway Load Balancers

Follow the instructions for configuring TLS/SSL offloading using a third party TLS/SSL certificate, pasting the full PEM-formatted certificate from step 5 into the box when prompted.

The new TLS certificate displays in the list of available certificates, and you can use it with your Load Balancer.

See Also