How to import your own SSL cert to a Load Balancer
The managed Load Balancer service supports Let’s Encrypt SSL/TLS certificates by default.
It is possible to import your own SSL certificate in case you want to use either a self-signed certificate or to increase the trust level issued by another certificate authority (CA).
- You have an account and are logged into console
- You have a managed Load Balancer
Important: Self-signed certificates can be detected as non-trustworthy by web browsers and it is not recommended to use them in a production environment.
Scaleway does not sell SSL certificates, but you can buy one directly from a CA, for example to guarantee the identity of an online shop. Once you have ordered the certificate it is sufficient to import the keys provided to secure the connection to your Load Balancer. If you have purchased a certificate, you can skip directly to Uploading the Certificate
In case you want to manage the creation and administration of the certificate yourself, you can use a self-signed certificate, which can be generated from your computer. This can be useful if you want to test or develop solutions.
- You need to have a common name for your certificate. The common name can be either a fully qualified domain name (i.e
server.example.com) or the IP address of the load balancer (i.e
- Open a text editor and create a file
[ req ] default_bits = 4096 distinguished_name = req_distinguished_name req_extensions = req_ext [ req_distinguished_name ] countryName = Country Name (2 letter code) countryName_default = FR stateOrProvinceName = State or Province Name (full name) stateOrProvinceName_default = Ile-de-France localityName = Locality Name (eg, city) localityName_default = Paris organizationName = Organization Name (eg, company) organizationName_default = MyCompanyName commonName = server.example.com commonName_max = 64 commonName_default = localhost emailAddress = Email Address (eg, firstname.lastname@example.org) emailAddress_max = 64 emailAddress_default = email@example.com [ req_ext ] subjectAltName = @alt_names
DNS.1 = server.example.com DNS.2 = alias.example.com
Enter your main domain name as
commonName in the configuration file. The domain names listed within the
[alt_names] must be edited also so that they match the domain name for which you want to issue the certificate. If you want to add multiple domains to the certificate, add them in this section as
DNS.3 and so on. Save the file and exit the text editor once the configuration matches your setup.
- Generate a 4096-bit private key using
openssl genrsa -out private.key 4096
- Generate a certificate signing request (CSR) using
openssl req -new -sha256 -out private.csr -key private.key -config ssl.conf
- Check the CSR using the following
openssl req -text -noout -in private.csr
You should see two lines similarly to these examples:
X509v3 Subject Alternative Name: DNS:server.example.com
Signature Algorithm: sha256WithRSAEncryption
- If everything is looking fine, generate the certificate with the following command. The value
-days 365can be edited towards your requirements and specifies the validity of the certificate:
openssl x509 -req -sha256 -days 365 -in private.csr -signkey private.key -out ssl.crt -extensions req_ext -extfile ssl.conf
- You will now find two files in your directory:
private.keycontains your private key information
ssl.crtcontains the information about your SSL certficate.
Once the certificate is generated you can upload it to your Load Balancer using the Scaleway console. If you have purchased an certificate from a certificate authority, you have received the private key, the certificate and optionally certificate authorities from them. Make sure you have all required information available before continuing.
- Connect yourself to your Console
- Click on Load Balancer in the menu on the left.
- Click on the Load Balancer you want to edit.
- The Load Balancer Information page displays. Click on the SSL Certificates tab on top of the page.
- Click on + Create a SSL certificate to enter the SSL configuration wizard.
- The configuration wizard displays:
- By default the configuration for Let’s Encrypt displays. To upload your own certficate, click on the Select a type drop-down menu and select Import certificate.
- Enter a name for your certificate and copy the content of the files
ssl.crtinto the textbox. If you got a chain or intermediate certificate from your CA, enter the content of the file after the private key and the primary certificate:
When you have purchased a certificate from a trusted certificate authority, you will not necessarily get an already “bundled” file that you can simply copy and paste into the text box. You may have to bundle the required file by yourself.
However, many authorities do provide an already bundled file. If you got a
pem file you can copy/paste all of its content. If you received a series of
chain or some similar file names you must bundle them by yourself by copy/pasting the contents of each of the files. The final result should look like this example:
-----BEGIN PRIVATE KEY----- (Private Key: private.key contents) -----END PRIVATE KEY----- -----BEGIN CERTIFICATE----- (Primary SSL certificate: ssl.crt contents) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (OPTIONALLY: Intermediate certificate: chain.crt contents) -----END CERTIFICATE----
- Click on Create SSL certificate to validate the configuration and to save the certificate.
- The newly added SSL certificate displays in the list of your SSL certificates and is ready to be added to your frontends: