Creating a PEM file for haproxy

Having done the last SSL certificates on my and my customers domains about a year ago, I forgot the order in which the crt ca-bundle and key file are to be concatonated into the PEM file in order for haproxy to read it correctly.

 

I write this as both a reminder to myself for the next time I shall required to perform this operation:

 

The order is

  1. crt
  2. ca-bundle
  3. key

Meaning one can do simply:

cat <crtfile>.crt <ca-bundlefile>.ca-bundle <keyfile>.key > <mypemfile>.pem

Important!

make sure there are NO parts like the following:

I9U65mjp1vDlN39qqeyjLzv6GqljjX7N3yrGNndn7JLI9twKAB8awXu11Xn8nkdJ
SeS3mlrnZtCiImeeeATEDjXsYTzu05lJNPZzV1pOI6ZJLuxS7uT/LABrlE7SOqb5
7PLgdjOMkQiF/igA5Qn1aY2DSwRu+5p0t6ZcPI+qSA1Q7wJ0GzaMng==
—–END CERTIFICATE———-BEGIN CERTIFICATE—–
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl

 

This will fail on loading the certificate, use VI to change it to:

I9U65mjp1vDlN39qqeyjLzv6GqljjX7N3yrGNndn7JLI9twKAB8awXu11Xn8nkdJ
SeS3mlrnZtCiImeeeATEDjXsYTzu05lJNPZzV1pOI6ZJLuxS7uT/LABrlE7SOqb5
7PLgdjOMkQiF/igA5Qn1aY2DSwRu+5p0t6ZcPI+qSA1Q7wJ0GzaMng==
—–END CERTIFICATE—–

—–BEGIN CERTIFICATE—–
MIIGEzCCA/ugAwIBAgIQfVtRJrR2uhHbdBYLvFMNpzANBgkqhkiG9w0BAQwFADCB
iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl

 

to test the PEM file you created use:

openssl x509 -noout -text -in <pemfile>.pem

 

The output should be a readable certificate and not an error.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.