Movatterモバイル変換

[0]ホーム
URL:

  • Light
  • Dark
  • System

Load balancing

SSL

This page applies to:

  • HAProxy ALOHA - all versions

Secure Sockets Layer (SSL) and its successor, Transport Layer Security (TLS), are protocols that encrypt messages between a client and server so that no one can eavesdrop on the communication. These protocols also ensure that the client can trust that they are connecting to the server they intended to, since the server must present a cryptographic certificate encoded with its domain name, and that certificate must have been signed by a trusted third-party certificate authority.

In this section, you will learn how to manage SSL/TLS certificates and keys in HAProxy ALOHA. HAProxy ALOHA can store SSL certificates that you can then use in your load balancer configuration to secure the traffic between clients and your services.

Create a public-facing certificateJump to heading

To get a public-facing certificate, you must first create acertificate signing request, which you will send to a Certificate Authority. The Certificate Authority will then return to you a signed certificate.

  1. From theSSL tab, clickNew.

  2. Give the certificate a name by setting theChoose SSL certificate name field. Only letters, numbers and underscores are allowed.

  3. Set a private key for your certificate by either:

    • Generating a new key by setting theGenerate a Private Key bits field and then clickingGenerate.

    • SelectingUpload a Private Key and then either pasting your key into the box or uploading it, then clickingUpload.

      • Use at least 2048 bits for public-facing certificates.
      • Your private key will not be sent to the Certificate Authority with your certificate signing request. You should keep your key secret.

  4. TheBuild Certificate Request dialog displays. Set each of the properties underBuild Certificate Request, then clickRequest.

  5. Copy and send the certificate signing request to your Certificate Authority.

  6. When you receive the signed server certificate from the Certificate Authority, clickEdit on the row of the incomplete certificate signing request.

  7. Paste your certificate and then clickUpload. You can also paste below the certificate all intermediate certificates, if any.

  8. To make the configuration changes persist after a reboot, go to theSetup tab and clickSave within theConfiguration section.

Create a self-signed certificateJump to heading

Aself-signed certificate is not signed by a trusted Certificate Authority, which means that client browsers will not trust it by default. However, a self-signed certificate is convenient for internal, test environments or when internal users are fine with clicking past the browser’s warnings.

  1. From theSSL tab, clickNew.

  2. Give the certificate a name by setting theChoose SSL certificate name field.

  3. Set the size of the certificate’s private key by setting theGenerate a Private Key bits field, then clickGenerate.

  4. TheBuild Certificate Request dialog displays. Set each of the properties underBuild Certificate Request, then clickRequest.

  5. The certificate signing request information displays. ClickSign to self-sign the certificate.

  6. To make the configuration changes persist after a reboot, go to theSetup tab and clickSave within theConfiguration section.

Upload an existing certificateJump to heading

You can upload a certificate that you already have. Note that your key file and certificate file must be separate files.

  1. From theSSL tab, clickNew.

  2. Give the certificate a name by setting theChoose SSL certificate name field.

  3. SelectUpload a Private Key and then either:

    • Paste your key into the box and then clickUpload.
    • Browse to your key file and then clickUpload.

  4. TheBuild Certificate Request dialog displays. SelectUpload Certificate and then either:

    • Paste your existing certificate into the box and then clickUpload.
    • Browse to your certificate file and then clickUpload.

  5. To make the configuration changes persist after a reboot, go to theSetup tab and clickSave within theConfiguration section.

Update a certificateJump to heading

You can update an existing certificate, such as to replace one that has expired.

  • If the former and newer certificates use the same private key:

    1. From theSSL tab, clickEdit on the row you want to update.

    2. In theCertificate text area, replace the former certificate with the content of the new one. Or, upload a new certificate.

    3. From theServices tab, reload thehaproxy service. If an error occurs, restart the service, which will revert to using the former certificates and configuration.

    4. To update the certificates on all cluster members, clickPush service haproxy configuration on ALOHA peer.

  • If the former and newer certificates use different private keys:

    1. From theSSL tab, clickDelete on the row you want to delete. This is the certificate and key that you will re-upload.

    2. Upload the updated certificate and new private key.

    3. From theServices tab, reload thehaproxy service. If an error occurs, restart the service, which will revert to using the former certificates and configuration.

    4. To update the certificates on all cluster members, clickPush service haproxy configuration on ALOHA peer.

  1. To make the configuration changes persist after a reboot, go to theSetup tab and clickSave within theConfiguration section.

List certificatesJump to heading

You can display existing Server Certificates and their statuses by selecting theSSL tab in the Web UI.

The following information about existing certificates displays:

ColumnDescription
NameLabel used to reference this certificate in HAProxy ALOHA’s configuration.
DomainCommon Name (or CN) of the certificate.
Not BeforeDate from when the certificate is valid.
Not AfterDate until when the certificate is valid. When a certificate expires, this date appears in bold red.
VerifyState of the validation of the certificate. See below.

TheVerify column can show any of the following states:

StateDescription
Broken chainWhen a certificate chain is incomplete or the full chain can’t be validated (outdated intermediary, etc.)
CA only (no key)When a certificate can be used to validate client certificates only.
IncompleteWhen either the private key and the certificate or the certificate is missing.
ValidWhen everything is fine and safe.
Self-SignedWhen the certificate was generated and signed by HAProxy ALOHA itself.

Use an SSL certificateJump to heading

You can refer to your certificate in the load balancer configuration by theName shown on theSSL tab. For example, for a certificate namedmycert, on theLB Layer7 tab you would use:

haproxy
frontend www
bind :443sslcrt mycert
haproxy
frontend www
bind :443sslcrt mycert

For more examples, seeHAProxy configuration tutorials - SSL / TLS.

Your feedback is important to us!

This site is protected by reCAPTCHA and theGoogle Privacy Policy andTerms of Service apply.

Do you have any suggestions on how we can improve the content of this page?

Previous page SAML Next page Observability
© 2026 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences

Privacy Settings

HAProxy's website uses cookies. By proceeding, you consent to our cookie usage. Please see our Privacy Policy and Cookie Policy for cookie usage details and instructions on how to disable cookies.
Privacy and Cookie Policy More information
Show details
Consent date:
User Unique Id:
Deny
Save Accept and close
[8]ページ先頭
©2009-2026 Movatter.jp