openssl req -newkey rsa:2048 -keyout example-com-private-key.pem -x509 -days 3000 -out example-com-crt.pem -passout pass:examplePassword
Configure SSL Endpoints and Certificates
While you do not have to manage load balancers manually in CloudHub 2.0, each private space must have at least one certificate associated with it. To configure an SSL endpoint for your load balancer to serve to clients, provide a certificate and private key pair for your load balancer.
A load balancer can have multiple and independent SSL endpoints, each identified by its server certificate common name.
Before You Begin
To associate an SSL endpoint, you must provide:
-
An encrypted, PEM-encoded (Privacy-Enhanced Mail) certificate file.
-
A second file containing the private key of your PEM certificate.
Create a Certificate File and Private Key with the openssl Command
You can create both an encrypted, PEM-encoded certificate file and a private key using openssl
.
For example, to create a self-signed certificate and corresponding private key:
-
Enter:
-
When prompted, enter the certificate information.
This command creates two
.pem
files:example-com-crt.pem example-com-private.pem
You upload these
.pem
files in Runtime Manager or pass them on the command line when you add an SSL endpoint to the load balancer.
Alternatively, you can pass a certificate information configuration file to the openssl
command using the -config
option.
For example, this certificate configuration file named example-com.cfg
defines the DNS domain example.com
that includes some SANs (Subject Alternate Names) for Mule applications app1.example.com
and app2.example.com
.
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = San Francisco organizationName = MuleSoft commonName = example.com [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = app1.example.com DNS.2 = app2.example.com
Run the following command:
openssl req -newkey rsa:2048 -nodes -keyout example-com-private.pem -x509 -days 3000 -out example-com-crt.pem -config example-com.cfg
Create a Wildcard Certificate
You might want to create a wildcard certificate to support subdomain requests, for example, to support example.com
and include app1.example.com
and app2.example.com
, as well as any future subdomain names.
To create a wildcard certificate that maps any subdomain name to example.com
:
-
Create a file that includes this configuration:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = San Francisco organizationName = MuleSoft commonName = *.example.com
-
Pass the certificate configuration file in an
openssl
command:openssl req -newkey rsa:2048 -nodes -keyout example-com-private.pem -x509 -days 3000 -out example-com-crt.pem -config example-com.cfg
-
Decrypt the private key using
openssl
:openssl rsa -in example-com-private.pem -out example-com-private-decrypted.pem
Configure Certificates for Production
Typically, in a production environment, your certificate is signed by a valid Certificate Authority (CA). Each SSL endpoint can have multiple CA certificates and CRLs (Certificate Revocation Lists). You must provide each of these certificates in a single encrypted, PEM-encoded file. Ordering is not important for independent CA certificates, but certificates in a chain of trust must be concatenated.