Jump toUpdate content
How to create a self-signed TLS Certificate
If you want to set up managed TLS/SSL offloading on your Load Balancer, you can do so using either Let’s Encrypt Certificates or third party TLS/SSL Certificates, generated by yourself or any other certificate authority. This document shows you how to create your own self-signed TLS certificate to use with your Load Balancer.
Transport Layer Security, or TLS for short, is a common security protocol designed to increase privacy and data security for communications over the Internet. TLS uses a digital certificate to validate the public encryption key provided by a device on the Internet with its private counterpart.
A self-signed certificate can be issued easily on any computer using the
- Run the following command from the command line to generate a private key file and a CSR file:
The following subcommands are used with the
openssl req -new -newkey rsa:4096 -nodes -keyout private_key.txt -out csr.txt -subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyInternetCompanyLTD/CN=www.example.com"
req: This subcommand specifies the use of the X.509 certificate signing request (CSR) management.
newkey rsa: 4096: This subcommand specifies the creation of a new key and certificate at the same time using a 4096 bit long RSA key.
nodes: This option tells OpenSSL to skip the securisation of the certificate using a passphrase.
keyout: This subcommand defines the location and file name of the private key file
out: This specifies the path and file name of the generated certificate request.
sub: The subject for the certficate. Modify the values of these subcommand to your requirements. The Common Name (CN) represents the domain name you are issuing the certificate for.
- Generate a file containing all Subject Alternative Names (SAN) for the certificate. They include websites, IP addresses, common names, etc. They are protected by a single SSL Certificate.
- Create a new file called
alt_names.txt, open it in a text editor and edit the file as follows. Make sure to add all domain names and IP addresses that should be protected by the certificate.
- Save the file and exit the text editor.
- Generate the self-signed certficate using the
openssl x509 -req -extfile alt_names.txt -sha256 -days 365 -in csr.txt -signkey private_key.txt -out certificate.txt
- Check that you have the following files in your folder with the
csr.txt: The certficate request
private_key.txt: The private key for the certificate
certificate.txt: The public key for the certificate
Follow the instructions for configuring TLS/SSL offloading using a third party TLS/SSL certificate, pasting the full PEM-formatted certificate from step 5 into the box when prompted.
The new TLS certificate displays in the list of available certificates, and you can use it with your Load Balancer.