3.234.254.115

Create PEM certificates

Create PEM certificates

Zen Load Balancer can manage HTTPS connections (HTTP profile), so the system administrator must create his own certificates (self-signed certificates) or purchase signed certificates by a certification authority, in both cases the certificate must be built-in PEM format. A secure certificate must be created without a password, and keys and CSR must be created on the server for security. Positive SSL protocols are ready to use in PEM format, but Rapid SSL needs to be converted, since each file contains a certificate, an intermediate CA, and a root CA separated.

REQUIREMENTS

The openssl package must be installed to generate keys on the server, in our case it will be an instance of Zen Load Balancer, which must already be installed. First generate a key without a passphrase.

openssl genrsa -out host_domain_com.key 2048

Then generate a signed certificate request (.csr) using the generated key (.key) as input.

openssl req -new -key host_domain_com.key -out host_domain_com.csr

Once the certificate and intermediate CA files are delivered, be sure to get the issuer’s root certificate. All individual files must be in PEM format: server certificate, intermediate certificate, and root certificate authority certificate. If not, convert the file using the following command:

openssl x509 -in certFileName.cer -outform PEM -out convertedCertFileName.pem

Finally, we have a private key, a certificate issued, an intermediate certificate, and a root certification authority certificate. All of this file content must be combined to create a PEM file in UNIX format.

CREATING A PEM CERTIFICATE

The PEM certificate must be built with the following structure.

-----BEGIN RSA PRIVATE KEY-----
Private Key (without passphrase)
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
Certificate (CN=www.mydomain.com)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Intermediate (Intermediate CA, if exists)
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
Root (ROOT CA, who signs the Certificate)
-----END CERTIFICATE-----

To create the correct PEM structure, you need to combine the different contents of the file generated in the step above with the splits:

-----BEGIN RSA PRIVATE KEY-----
uiMTxBQnK9ApC5eq1mrBooECgYB4925pDrTWTbjU8bhb/7BXsjBiesBBVO43pDYL
1AOO5EEikir239UoFm6DQkkO7z4Nd+6Ier9fncpN1p1EZtqPxT64nsUTNow/z1Pp
nUVxhqt4DT+4Vp5S7D9FQ+HagbhVInQXKXtT7FNFhpIxpRy512ElSuWvrELiZOwe
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
wYDVR0fBDwwOjA4oDagNIYyaHR0cDovL3JhcGlkc3NsLWNybC5n
ZW90cnVzdC5jb20vY3Jscy9yYXBpZHNzbC5jcmwwHQYDVR0OBBYEFA8nu+rbiNqg
DYmhNE0IgXx6XRHiMAwGA1UdEwEB/wQCMAAwSQYIKwYBBQUHAQEEPTA7MDkGCCsG
gOYD8kmKOsxLRWeZo6Tn8
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
EgYDVR0TAQH/BAgwBgEB/wIBADA6BgNVHR8EMzAxMC+gLaArhilodHRwOi8vY3Js
Lmdlb3RydXN0LmNvbS9jcmxzL2d0Z2xvYmFsLmNybDA0BggrBgEFBQcBAQQoMCYw
JAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmdlb3RydXN0LmNvbTANBgkqhkiG9w0B
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDIDCCAomgAwIBAgIENd70zzANBgkqhkiG9w0BAQUFADBOMQswCQYDVQQGEwJV
UzEQMA4GA1UEChMHRXF1aWZheDEtMCsGA1UECxMkRXF1aWZheCBTZWN1cmUgQ2Vy
dGlmaWNhdGUgQXV0aG9yaXR5MB4XDTk4MDgyMjE2NDE1MVoXDTE4MDgyMjE2NDE1
jOKer89961zgK5F7WF0bnj4JXMJTENAKaSbn+2kmOeUJXRmm/kEd5jhW6Y
7qj/WsjTVbJmcVfewCHrPSqnI0kBBIZCe/zuf6IWUrVnZ9NA2zsmWLIodz2uFHdh
1voqZiegDfqnc1zqcPGUIWVEX/r87yloqaKHee9570+sB3c4
-----END CERTIFICATE-----

Be sure to convert the entire PEM file to UNIX format. There is a zencert.pem certificate for testing that can be used with HTTPS profile farms.