Open in app

Sign in

Write

Sign in

Self Signed certificate and Use them in Haproxy and Allow certificate in MacOS

nand
2 min readMay 22, 2019

--

HTTPS is must be enabled in your site and if not, go enable it. It helps in avoiding Man in the Middle attack.

But for local development or internal domain, its not practical to get a valid certificate from trusted valid Certificate authorities. Here’s the steps where you can generate your own certificate, enable that certificate in Haproxy and allow that certificate in MacOS to get secure connection.

Go to local server machine, for local development its localhost

Run command to generate key to sign certificate

openssl genrsa -des3 -out rootCA.key 2048

Run below command to generate public certificate, change days based on your preference

openssl req -x509 -new -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem

Remember the common name set above

Now two files are generated, `rootCA.key` `rootCA.pem`

create file `server.csr.cnf`

[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn[dn]
C=IN
ST=Random
L=Random
O=Random
OU=Random
emailAddress=<email_address>
CN=<make_sure_this_name_is_same_as_set_in_above_command>

create a v3.ext file

authorityKeyIdentifier=keyid,issuer
basicConstraints=CA:FALSE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment
subjectAltName = @alt_names[alt_names]
DNS.1=<make_sure_this_name_is_same_as_set_in_above_common_name>

Now run command to generate private key

openssl req -new -sha256 -nodes -out server.csr -newkey rsa:2048 -keyout server.key -config <( cat server.csr.cnf )

Generate private cert

openssl x509 -req -in server.csr -CA rootCA.pem -CAkey rootCA.key -CAcreateserial -out server.crt -days 500 -sha256 -extfile v3.ext

Now we have two more files, server.key server.crt

Use these two files in your web server to assign certificate to your server.

In case of haproxy, run command to combime both files

bash -c 'cat server.key server.crt >> server.pem'
chmod 600 server.pem

Edit file `vim /etc/haproxy/haproxy.cfg`

listen haproxy
  bind 0.0.0.0:443 ssl crt server.pem

Save and restart haproxy

Adding generate cert in MacOs

  • Go to Keychain access
  • Go to System → Certificates
  • Click on + and add above generated rootCA.pem file here
  • Double click on your recently added certificate and change Trust to “Always Trust” and save

That’s It. Happy Reading.

Ssl
Haproxy
Openssl
Self Signed Certificate
Local Development

--

--

nand
nand

Written by nand

58 Followers
5 Following

Engineer https://www.linkedin.com/in/nand-sharma/

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams