When configuring HTTPS listeners, you can use self-signed CA certificates. Follow the instructions in this document to generate a CA certificate and use the CA certificate to sign a client certificate.
Run the following commands to create a
cafolder under the
/rootdirectory and then create four sub folders under the
$ sudo mkdir ca
$ cd ca
$ sudo mkdir newcerts private conf server
- newcerts: Used to store the digit certificate signed by a CA certificate.
- private: Used to store the private key of the CA certificate.
- conf: Used to store the configuration files.
- server: Used to store the server certificate.
openssl.conffile with the following content under the
[ ca ]
default_ca = foo
[ foo ]
dir = /root/ca
database = /root/ca/index.txt
new_certs_dir = /root/ca/newcerts
certificate = /root/ca/private/ca.crt
serial = /root/ca/serial
private_key = /root/ca/private/ca.key
RANDFILE = /root/ca/private/.rand
default_days = 365
default_md = md5
unique_subject = no
policy = policy_any
[ policy_any ]
countryName = match
stateOrProvinceName = match
organizationName = match
organizationalUnitName = match
localityName = optional
commonName = supplied
emailAddress = optional
Run the following command to generate a private key.
$ cd /root/ca
$ sudo openssl genrsa -out private/ca.key
The following figure is an example of the key generation.
Run the following command and input the required information according to the prompts. Press Enter to generate the
csrfile used to generate the certificate.
$ sudo openssl req -new -key private/ca.key -out private/ca.csr
Note: Enter the domain name of the SLB instance as the value of
Run the following command to generate the
$ sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
Run the following command to set the start sequence number for the private key, which can be any four characters.
$ sudo echo FACE > serial
Run the following command to create the CA key library.
$ sudo touch index.txt
Run the following command to create a certificate revocation list for removing the client certificate.
$ sudo openssl ca -gencrl -out /root/ca/private/ca.crl -crldays 7 -config "/root/ca/conf/openssl.conf"
The response is as follows:
Using configuration from /root/ca/conf/openssl.conf
Run the following command to generate a
usersfolder under the
cafolder to store the client key.
$ sudo mkdir users
Run the following command to create a key for the client certificate.
$ sudo openssl genrsa -des3 -out /root/ca/users/client.key 1024
Note: The pass phrase entered is the phrase for this key.
Run the following command to create a
csrfile for requesting certificate sign.
$ sudo openssl req -new -key /root/ca/users/client.key -out /root/ca/users/client.csr
As prompted, input the pass phrase set in the previous step.
Run the following command to sign the client key.
$ sudo openssl ca -in /root/ca/users/client.csr -cert /root/ca/private/ca.crt -keyfile /root/ca/private/ca.key -out /root/ca/users/client.crt -config "/root/ca/conf/openssl.conf"
Input y when prompted to confirm the operation.
Run the following command to convert the certificate to the
$ sudo openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12
Input the password of the client key when prompted, and then input the password used for exporting the client certificate.
Run the following command to view the generated certificate.