Jump toUpdate content
How to create a self-signed TLS Certificate
If you want to set up managed TLS/SSL offloading on your Load Balancer, you can do so using either Let’s Encrypt Certificates or third party TLS/SSL Certificates, generated by yourself or any other certificate authority. This document shows you how to create your own self-signed TLS certificate to use with your Load Balancer.
Transport Layer Security, or TLS for short, is a common security protocol designed to increase privacy and data security for communications over the Internet. TLS uses a digital certificate to validate the public encryption key provided by a device on the Internet with its private counterpart.
A self-signed certificate can be issued easily on any computer using the
Run the following command from the command line to generate a private key file and a CSR file:
openssl req -new -newkey rsa:4096 -nodes -keyout private_key.txt -out csr.txt -subj "/C=FR/ST=Ile-de-France/L=Paris/O=MyInternetCompanyLTD/CN=www.example.com"
The following subcommands are used with the
req: This subcommand specifies the use of the X.509 certificate signing request (CSR) management.
newkey rsa: 4096: This subcommand specifies the creation of a new key and certificate at the same time using a 4096 bit long RSA key.
nodes: This option tells OpenSSL to skip the securisation of the certificate using a passphrase.
keyout: This subcommand defines the location and file name of the private key file
out: This specifies the path and file name of the generated certificate request.
sub: The subject for the certficate. Modify the values of these subcommand to your requirements. The Common Name (CN) represents the domain name you are issuing the certificate for.
Generate a file containing all Subject Alternative Names (SAN) for the certificate. They include websites, IP addresses, common names, etc. They are protected by a single SSL Certificate.
Create a new file called
alt_names.txt, open it in a text editor and edit the file as follows. Make sure to add all domain names and IP addresses that should be protected by the certificate.
Save the file and exit the text editor.
Generate the self-signed certficate using the
openssl x509 -req -extfile alt_names.txt -sha256 -days 365 -in csr.txt -signkey private_key.txt -out certificate.txt
Check that you have the following files in your folder with the
csr.txt: The certficate request
private_key.txt: The private key for the certificate
certificate.txt: The public key for the certificate
Follow the instructions for configuring TLS/SSL offloading using a third party TLS/SSL certificate, pasting the full PEM-formatted certificate from step 5 into the box when prompted.
The new TLS certificate displays in the list of available certificates, and you can use it with your Load Balancer.