Deploying a New SSL Certificate to HAProxy

Owned by Milton Suen
Last updated: Feb 29, 2024
3 min read

When your SSL certificate expires, it's crucial to replace it promptly to ensure secure communication between clients and your HAProxy server. This guide outlines the steps to deploy a new SSL certificate on HAProxy, including extracting the private key from a certificate.pfx file and converting it to a certificate.pem file using OpenSSL. Additionally, it explains the format of PEM certificates required for HAProxy, including the certificate, intermediate certificate, private key, and root certificate.

Step 1: Extracting Private Key from certificate.pfx

  1. Install OpenSSL: Ensure OpenSSL is installed on your system. Most Linux distributions come with OpenSSL pre-installed. If not, you can install it using your package manager.

  2. Extract Private Key: Use the following OpenSSL command to extract the private key from the certificate.pfx file:

    openssl pkcs12 -in certificate.pfx -nocerts -out private.key

    Replace certificate.pfx with the path to your certificate file.

  3. Provide Password: You will be prompted to enter the password for the .pfx file. Enter the password when prompted.

  4. Verify Private Key: After extraction, verify that the private key is correctly generated by checking the contents of the private.key file.

Step 2: Converting certificate.pfx to certificate.pem

  1. Convert to PEM Format: Use the following OpenSSL command to convert the .pfx file to a .pem file:

    openssl pkcs12 -in certificate.pfx -clcerts -nokeys -out certificate.pem

    This command extracts the certificate file without the private key.

  2. Provide Password: You will be prompted to enter the password for the .pfx file. Enter the password when prompted.

  3. Verify PEM Certificate: After conversion, verify that the certificate.pem file contains the SSL certificate.

Step 3: Format of PEM Certificate for HAProxy

For HAProxy, you need to combine the SSL certificate, intermediate certificate (if any), private key, and root certificate (optional) into a single PEM file.

  1. Concatenate Certificates: Concatenate the certificate.pem, private.key, and intermediate/root certificates (if any) into a single .pem file:

    cat certificate.pem private.key [intermediate.crt] [root.crt] > haproxy.pem

    Replace [intermediate.crt] and [root.crt] with the filenames of intermediate and root certificates if they are separate files. Otherwise, omit them.

  2. Verify PEM File: Verify the contents of the haproxy.pem file to ensure all certificates are concatenated correctly.

Step 4: Deploying New SSL Certificate to HAProxy

  1. Backup Current Configuration: Before proceeding, backup your current HAProxy configuration file to avoid any potential issues.

  2. Replace SSL Certificate: Update your HAProxy configuration file to point to the new haproxy.pem file containing the updated SSL certificate.

  3. Reload HAProxy Configuration: Reload HAProxy to apply the changes:

    Replace haproxy with the name of your HAProxy service if different.

  4. Verify SSL Configuration: Test your HAProxy configuration to ensure that the SSL certificate is correctly applied and that there are no errors:

    Replace /etc/haproxy/haproxy.cfg with the path to your HAProxy configuration file.

  5. Monitor HAProxy Logs: Monitor HAProxy logs for any SSL-related errors or warnings to ensure smooth operation.

By following these steps, you can successfully deploy a new SSL certificate to HAProxy, ensuring secure communication between clients and your server. Remember to schedule certificate renewals in advance to prevent future expiration issues.

Step 5 (Optional): Checking Certificate Using Online SSL Checker

In addition to verifying the SSL configuration locally, you can also use online SSL checker tools to ensure that your certificate is installed correctly and functioning as expected. One such tool is the SSL Checker provided by SSLShopper.

  1. Access SSL Checker: Open your web browser and navigate to SSLShopper SSL Checker.

  2. Enter Website URL: In the provided field, enter the URL of your website that is being secured by HAProxy with the new SSL certificate.

  3. Initiate Check: Click on the "Check SSL" or "Check" button to initiate the SSL check process.

  4. Review Results: Once the check is complete, SSLShopper SSL Checker will display the results, including details about your SSL certificate, its validity, supported protocols, and any potential issues or warnings.

  5. Interpret Results: Review the results carefully to ensure that your SSL certificate is installed correctly and is valid. Pay attention to any warnings or errors reported by the SSL Checker.

  6. Resolve Issues: If the SSL Checker reports any issues or warnings, take necessary actions to address them. This may involve revisiting the SSL certificate installation steps or updating your HAProxy configuration accordingly.

  7. Regular Checks: It's a good practice to perform regular SSL checks using online tools to ensure the continued security and proper functioning of your SSL certificate.

By leveraging online SSL checker tools like SSLShopper SSL Checker, you can supplement local SSL configuration verification with external validation, providing additional confidence in the integrity of your SSL certificate deployment.

© DataCore Software Corporation. · https://www.datacore.com · All rights reserved.