Scaleway DocumentationNetworkLoad BalancerHow to
Create a self-signed TLS/SSL certificate

Jump toUpdate content

How to create a self-signed TLS Certificate

Reviewed on 26 May 2021Published on 26 May 2021

Transport Layer Security, or TLS for short, is a common security protocol designed to increase privacy and data security for communications over the Internet. TLS uses a digital certificate to validate the public encryption key provided by a device on the Internet with its private counterpart.

Requirements:

How to create a self-signed TLS certificate

A self-signed certificate can be issued easily on any computer using the openssl tool.

  1. Run the following command to generate a private key file and a CSR file:

    openssl req -new -newkey rsa:4096 -nodes -keyout private_key.txt -out csr.txt -subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyInternetCompanyLTD/CN=www.example.com"

    The following subcommands are used with the openssl base command:

    • req: This subcommand specifies to use the X.509 certificate signing request (CSR) management.
    • newkey rsa: 4096: This subcommand specifies to create a new key and certificate at the same time using a 4096 bit long RSA key.
    • nodes: This option tells OpenSSL to skip the securisation of the certificate using a passphrase.
    • keyout: This subcommand defines the location and file name of the private key file
    • out: This specifies the path and file name of the generated certificate request.
    • sub: The subject for the certficate. Modify the values of these subcommand to your requirements. The Common Name (CN) represents the domain name you are issuing the certificate for.
  2. Generate a file containing all Subject Alternative Names (SAN) for the certificate. They include websites, IP addresses, common names, etc. They are protected by a single SSL Certificate.

  3. Create a new file called alt_names.txt and open it in a text editor and edit the file as follows. Make sure to add all domain names and IP addresses that should be protected by the certificate.

    subjectAltName=DNS:example.com,DNS:www.example.com
  4. Save the file and exit the text editor.

  5. Generate the self-signed certficate using the openssl tool:

    openssl x509 -req -extfile alt_names.txt -sha256 -days 365 -in csr.txt -signkey private_key.txt  -out certificate.txt
  6. Check that you have the following files in your folder with the ls command.

    • csr.txt: The certficate request
    • private_key.txt: The private key for the certificate
    • certificate.txt: The public key for the certificate

How to import a self-signed certificate with Scaleway Load Balancer

Scaleway Load Balancer offers the possibility to use either an auto-generated Let’s Encrypt TLS certificate, your self-generated certificate, or a TLS certificate issued by any other certificate authority.

In this example, we use the previously generated certificate and configure the Load Balancer with it. This procedure also works if you purchased a certificate from a certificate authority and got the private and public key with it.

  1. Click Load Balancer on the side menu. The list of your Load Balancers displays.

  2. Click the Load Balancer name you want to configure. The Load Balancer information displays.

  3. Click the SSL Certificates tab.

  4. Click Create a SSL certificate.

  5. Retrieve the contents the private_key.txt and certificate.txt file and save it somewhere safe. You will need to paste this information in the Certificate text field.

  6. Enter the required details for the SSL certificate, which include:

    • SSL Certificate Name: The name of your choice to faciliate certificate management.
    • SSL Certificate Type: The type for the SSL certificate, select Import certificate from the drop-down list.
    • SSL Third Party Certificate: The full PEM-formatted certificate (from step 5).
  7. Click Create SSL certificate to check and import your third party SSL certificate.

The new TLS certificate displays in the list of available certificates, and you can use it with your Load Balancer.

See Also