All Products
Search

This Product

    Server Load Balancer:Generate a CA certificate

    Document Center

    Server Load Balancer:Generate a CA certificate

    Last Updated:Dec 01, 2025

    When you configure an HTTPS listener, you can use a self-signed CA certificate. You can also use the CA certificate to sign a client certificate.

    Generate a CA certificate by using OpenSSL

    Log on to a Linux Elastic Compute Service (ECS) instance that has the OpenSSL tool installed. In this example, the instance runs the Alibaba Cloud Linux 3 operating system and has OpenSSL version 1.1.1k installed.

    1. Run the following commands to create a ca directory in the /home directory and create four sub-directories under the ca directory. 

      sudo mkdir /home/ca
cd /home/ca
sudo mkdir newcerts private conf server

      • The newcerts folder is used to store the digital certificate signed by the CA certificate.

      • The private folder is used to store the private key of the CA certificate.

      • The conf folder is used to store the configuration files used for simplifying parameters.

      • The server folder is used to store the server certificate.

    2. Create an openssl.conf file in the conf directory.

      vim /home/ca/conf/openssl.conf

      The openssl.conf file contains the following information.

       [ ca ]
 default_ca = foo
 [ foo ] 
 dir = /home/ca
 database = /home/ca/index.txt
 new_certs_dir = /home/ca/newcerts
 certificate = /home/ca/private/ca.crt
 serial = /home/ca/serial
 private_key = /home/ca/private/ca.key
 RANDFILE = /home/ca/private/.rand
 default_days = 365
 default_crl_days= 30
 default_md = 
sha256
 unique_subject = no
 policy = policy_any
 [ policy_any ]
 countryName = match
 stateOrProvinceName = match
 organizationName = match
 organizationalUnitName = match
 localityName = optional
 commonName = supplied
 emailAddress = optional

    3. Run the following commands to generate a private key. 

      cd /home/ca
sudo openssl genrsa -out /home/ca/private/ca.key

      The following figure shows the command output.image

    4. Run the following command, enter the required information as prompted, and then press the Enter key to generate a csr file. 

      sudo openssl req -new -key /home/ca/private/ca.key -out /home/ca/private/ca.csr

      image

      Note

      Common Name specifies the domain name of the Classic Load Balancer (CLB) instance.

    5. Run the following command to generate a crt file: 

      sudo openssl x509 -req -days 365 -in /home/ca/private/ca.csr -signkey /home/ca/private/ca.key -out /home/ca/private/ca.crt
      Important

      The ca.crt file is the CA certificate file to be uploaded to CLB.

    6. Run the following command to set the initial sequence number of the CA key. The initial sequence number can be any four characters. In this example, the initial sequence number of the CA key is FACE. 

      echo FACE | sudo tee /home/ca/serial

    7. Run the following command to create a CA key library. 

      sudo touch /home/ca/index.txt

    8. Run the following command to create a certificate revocation list for removing the client certificate. 

      sudo openssl ca -gencrl -out /home/ca/private/ca.crl -crldays 7 -config "/home/ca/conf/openssl.conf"

      Output: 

      Using configuration from /home/ca/conf/openssl.conf

    Sign the client certificate

    1. Run the following command to create the users directory in the ca directory to store client keys. 

      sudo mkdir /home/ca/users

    2. Run the following command to create a client key. 

      sudo openssl genrsa -des3 -out /home/ca/users/client.key 2048
      Note

      When you create the key, enter a passphrase to prevent unauthorized access in case of key leaks. Enter the same passphrase twice.

    3. Run the following command to create a csr file for the client key. 

      sudo openssl req -new -key /home/ca/users/client.key -out /home/ca/users/client.csr

      Enter the passphrase that you entered in Step 2 and other required information as prompted.

      Note

      A challenge password is a client certificate password and is different from a client key.

    4. Run the following command to use the CA key to sign the client key. 

      sudo openssl ca -in /home/ca/users/client.csr -cert /home/ca/private/ca.crt -keyfile /home/ca/private/ca.key -out /home/ca/users/client.crt -config "/home/ca/conf/openssl.conf"

      Enter y when you are prompted to confirm the following two operations.

      image

    5. Run the following command to convert the certificate to a PKCS12 file. 

      sudo openssl pkcs12 -export -clcerts -in /home/ca/users/client.crt -inkey /home/ca/users/client.key -out /home/ca/users/client.p12

      Enter the passphrase of the client key as prompted and press the Enter key. Then, enter the password that is used to export the client certificate. This password is used to protect the client certificate and is required when you install the client certificate.

    6. Run the following commands to view the generated client certificate. 

       cd /home/ca/users
 ls