Reputation: 439
Either remove or automatically enter pem passphrase for haproxy ssl; Chrome still warns about CA not signed
I recently received a signed certificate to use with haproxy SSL termination. In order for haproxy to use this, I needed to convert the jks file to a pem file. First, I converted the cer files I received into crt, as I had a previous error where haproxy was not able to find the crt files in the pem file. Do this for all certs:
$ openssl x509 -inform PEM -in <CER file here> -out <CRT output file>
I then import the root, intermediate, and service certs to the keystore, which already has the private key:
keytool -importcert -file $CERT -alias $ALIAS -keystore test.jdk
I then convert the jsk file to a p12 file, followed by converting that to a pem file:
$ keytool -importkeystore -srckeystore test.jks -destkeystore test.p12 -srcstoretype jks -deststoretype pkcs12
Enter destination keystore password:
Re-enter new password:
$ openssl pkcs12 -in test.p12 -out test.pem
Enter Import Password:
MAC verified OK
Enter PEM pass phrase:
This generates a pem file with the following format:
Bag Attributes
friendlyName:
localKeyID:
-----BEGIN ENCRYPTED PRIVATE KEY-----
-----END ENCRYPTED PRIVATE KEY-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Bag Attributes
friendlyName:
localKeyID:
subject=
issuer=
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
Obviously, there is a lot of information missing from this, as I do not want to share that online; however, the structure is pretty much identical.
When I link this to haproxy:
frontend https
maxconn 2000
bind 0.0.0.0:4000 ssl crt /home/user/config/cert/test.pem
And I run it with haproxy -d -f haproxy.cfg, I'm asked to enter the PEM pass phrase. I need to be able to start haproxy automatically on server start up, so I can't enter this every time I want to run it. Is there any way to remove the pass phrase, or generate a pem file without one? Or can I supply via a script? The script I use to start haproxy on server start up is just the command you see above, with nohup to redirect the output.
Also, when I go to one of the services fronted by haproxy, Chrome still warns me that the CA is not trusted, like when I used a self signed certificate. Is there anything else I need to do beyond what I have above?
Upvotes: 8
Views: 17954
Answers (2)
Reputation: 537
or instead remove pem passphrase on e.g an Amazon EC2 Fedora Linux instance:
sudo ssh-keygen -p -f EC2.pem
Upvotes: 1
Reputation: 2672
You will need to copy the password protected key to a not password protected key.
openssl rsa -in test.pem -out test-password-less.key
To provide the PEM now to HAProxy will you also need the certificate. cat both Files to one PEM File for haproxy.
cat $CERT test-password-less.key > haproxy-test.pem
Upvotes: 12
Related Questions
- Haproxy wont recognize new certificate
- HAproxy SSL handshake failure
- haproxy - unable to load SSL private key from PEM file
- HAProxy 1.5-dev19 Unable to load SSL certificate
- haproxy: inconsistencies between private key and certificate loaded from PEM file
- ECC Certificates not working in Chrome?
- SSL error when certificate has been added to keychain
- HAProxy and SSL Certification
- HAProxy doesn't recognize SSL
- SSL over HAProxy issue