To add an HTTPS listener with two-way authentication, you have to upload a server certificate and a CA certificate to SLB when configuring the listener.
A self-signed CA certificate is used to sign the client certificate in this tutorial. Complete these steps to add an HTTPS listener with two-way authentication:
- Prepare a server certificate
- Generate a CA certificate using Open SSL
- Generate a client certificate
- Upload the server certificate and the CA certificate
- Install the client certificate
- Configue the Server Load Balancer instance
- Test the load balancing service
Step 1 Prepare the server certificate
A server certificate is used by the client browser to check whether the certificate sent by the server is signed and issued by a trusted center. You can purchase a server certificate from Alibaba Cloud Security Certificate Service, or from other service providers.
Step 2 Generate a CA certificate by using Open SSL
- Run the following commands to create a ca folder under the /root directory and then create four sub folders under the ca folder.
$ sudo mkdir ca $ cd ca $ sudo mkdir newcerts private conf server
where:
- newcerts is used to store the digit certificate signed by a CA certificate.
- private is used to store the private key of the CA certificate.
- conf is used to store the configuration files.
- server is used to store the server certificate.
- Create an openssl.conf file with the following content under the conf folder.
[ ca ] default_ca = foo [ foo ] dir = /root/ca database = /root/ca/index.txt new_certs_dir = /root/ca/newcerts certificate = /root/ca/private/ca.crt serial = /root/ca/serial private_key = /root/ca/private/ca.key RANDFILE = /root/ca/private/.rand default_days = 365 default_crl_days= 30 default_md = md5 unique_subject = no policy = policy_any [ policy_any ] countryName = match stateOrProvinceName = match organizationName = match organizationalUnitName = match localityName = optional commonName = supplied emailAddress = optional
- Run the following command to generate a private key file.
$ cd /root/ca $ sudo openssl genrsa -out private/ca.key
The following figure is an example of the key generation.
- Run the following command and input the required information according to the prompts. Press Enter to generate the csr file used to generate the certificate.
$ sudo openssl req -new -key private/ca.key -out private/ca.csr
Note Common Name is the domain name of the SLB instance.
- Run the following command to generate the crt file.
$ sudo openssl x509 -req -days 365 -in private/ca.csr -signkey private/ca.key -out private/ca.crt
- Run the following command to set the start sequence number for the private key, which can be any four characters.
$ sudo echo FACE > serial
- Run the following command to create the CA key library.
$ sudo touch index.txt
- Run the following command to create a certificate revocation list for removing the client certificate.
$ sudo openssl ca -gencrl -out /root/ca/private/ca.crl -crldays 7 -config "/root/ca/conf/openssl.conf"
The response is as follows:
Using configuration from /root/ca/conf/openssl.conf
Step 3 Generate a client certificate
- Run the following command to generate a users folder under the ca folder to store the client certificate.
$ sudo mkdir users
- Run the following command to create a key for the client key.
$ sudo openssl genrsa -des3 -out /root/ca/users/client.key 1024
Note The pass phrase entered is the phrase for this key. Enter the same password twice. - Run the following command to create a csr file for requesting certificate sign.
$ sudo openssl req -new -key /root/ca/users/client.key -out /root/ca/users/client.csr
As prompted, input the pass phrase set in the previous step.Note A challenge password is the client password (Separate it from the password of client.key
). It can be same as that of the root certificate or server certificate.
- Run the following command to sign the client key.
$ sudo openssl ca -in /root/ca/users/client.csr -cert /root/ca/private/ca.crt -keyfile /root/ca/private/ca.key -out /root/ca/users/client.crt -config "/root/ca/conf/openssl.conf"
Enter y when prompted to confirm the operation.
- Run the following command to convert the certificate to the PKCS12 file that can be recognized by most browsers.
$ sudo openssl pkcs12 -export -clcerts -in /root/ca/users/client.crt -inkey /root/ca/users/client.key -out /root/ca/users/client.p12
Follow the prompts to enter a pass for client. Key
Enter the password of the client key when prompted. Enter the password used for exporting the client certificate.
- Run the following command to view the created certificate.
cd users ls
Step 4 Upload the server certificate and the CA certificate
- Log on to the SLB console.
- On the Instances page, click Create Server Load Balance.
- Configure the instance and then click Buy Now.
In this tutorial, the network type is Internet and region is China (Hangzhou). For more information on other instance configurations, see Create an SLB instance.
- On the Instances page, hover the mouse to the ID of the SLB instance, and then click the pencil icon to change the instance name.
- On Server Load Balancer page, click Certificates, and then click Upload Certificate.
- On the Upload Certificate page, complete the following configurations and click Confirm.
- Certificate Region: China (Hangzhou) is selected in this tutorial.
Note The region of the certificate must be the same as that of the Server Load Balancer instance. - Certificate Type: Server Certificate is selected in this tutorial.
- Certificate Content and Private Key: Copy the content and private key of the server certificate.
Note Click Import Sample to view the valid format of the certificate. For more information, see Certificate formats.
- Certificate Region: China (Hangzhou) is selected in this tutorial.
- In the left-side navigation pane, click Certificates, and then click Upload Certificate.
- On the Upload Certificate page, complete the following configurations and click Confirm.
- Certificate Region: China (Hangzhou) is selected in this tutorial.
Note The region of the certificate must be the same as that of the Server Load Balancer instance. - Certificate Type: CA Certificate is selected in this tutorial.
- Certificate Content: Copy the content of the CA certificate.
Note Click Import Sample to view the valid format of the certificate. For more information, see Certificate formats.
- Certificate Region: China (Hangzhou) is selected in this tutorial.
Step 5 Install client certificates
- Open the Git Bash command line, run the following command to export the client certificate.
scp root@IPaddress:/root/ca/users/client.p12 . /
Note IPaddress is the IP of the server where the client certificate is generated. - Import the certificate to the IE web browser:
- Open the IE web browser, click .
- Click the Content tab, and then click Certificates. Import the PKCS12 file generated in step 3.
Configure the SLB instance
- Log on to the SLB console.
- On the Instancespage, select the China (Hangzhou) region, and then click the ID of the created instance.
- In the left-side navigation pane of the Details page, click Listeners, and then click Add Listener.
- In the Add Listener dialog, configure the listener.
The listener configuration used in this tutorial is as follows: For more information, see Layer-7 listener configurations.
- Front-end Protocol [Port]: HTTPS 443
- Backend Protocol [Port]: HTTP 80
- Scheduling Algorithm: Round Robin
- Mutual Authentication: Enable
- Server Certificate: Select the uploaded server certificate.
- CA Certificate: Select the uploaded client certificate.
- Click Next, and then click Confirm to create the listener.
- In the left-side navigation pane, click Add of the target ECS instance to add backend servers. , and then click
Step 7 Test the load balancing service
- Go back to the Instancespage and check the health status of the backend servers. When the status is Normal, the listener is working normally.
- Enter the public IP of the Server Load Balancer instance in the web browser, check if the requests are handled correctly over the SSL protocol.
- Refresh web page, you can find the requests are evenly distributed to the backend servers.
Note Because a self-signed certificate is used, the certificate is not trusted in the following image.