Contact Free trial Login

Configure SSL Endpoints and Certificates

A dedicated load balancer must have at least one certificate associated with it. To configure an SSL endpoint for your load balancer to serve to clients, provide a certificate and private key pair for your load balancer.

A load balancer can have multiple and independent SSL endpoints, each identified by its server certificate common name.

Requirements

To associate an SSL endpoint, you must provide:

  • An unencrypted, PEM-encoded (Privacy-Enhanced Mail) certificate file.

  • A second file containing the private key of your PEM certificate.

    The private key file must be passphraseless.

Create a Certificate File and Private Key with the Openssl Command

You can create both an unencrypted, PEM-encoded certificate file and a private key using openssl.

For example, to create a self-signed certificate and corresponding private key:

  1. Enter:

    openssl req -newkey rsa:2048 -nodes -keyout example-com-private.pem -x509 -days 3000 -out example-com-crt.pem
  2. When prompted, enter the certificate information.

Alternatively, you can pass a certificate information configuration file to the openssl command.

For example, this certificate configuration file named example-com.cfg defines the DNS domain example.com that includes some SANs (Subject Alternate Names) for Mule applications app1.example.com and app2.example.com.

[ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = req_ext
prompt = no
[ req_distinguished_name ]
countryName                 = US
stateOrProvinceName         = California
localityName               = San Francisco
organizationName           = MuleSoft
commonName                 = example.com

[ req_ext ]
subjectAltName = @alt_names
[alt_names]
DNS.1   = app1.example.com
DNS.2   = app2.example.com

Create a Wildcard Certificate

You might want to create a wildcard certificate to support subdomain requests, for example, to support example.com and include app1.example.com and app2.example.com, as well as any future subdomain names.

To create a wildcard certificate that maps any subdomain name to example.com:

  1. Create a file that includes this configuration:

    [ req ]
    default_bits       = 2048
    distinguished_name = req_distinguished_name
    prompt = no
    [ req_distinguished_name ]
    countryName                 = US
    stateOrProvinceName         = California
    localityName               = San Francisco
    organizationName           = MuleSoft
    commonName                 = *.example.com
  2. Pass the certificate configuration file in an openssl command:

    openssl req -newkey rsa:2048 -nodes -keyout example-com-private.pem -x509 -days 3000 -out example-com-crt.pem -config example-com.cfg
  3. Decrypt the private key using openssl:

    openssl rsa -in example-com-private.pem -out example-com-private-decrypted.pem

Configuring Certificates for Production

Typically, in a production environment, your certificate is signed by a valid Certificate Authority (CA). Each SSL endpoint can have multiple CA certificates and CRLs (Certificate Revocation Lists). You must provide each of these certificates in a single unencrypted, PEM-encoded file. Ordering is not important for independent CA certificates, but certificates in a chain of trust must be concatenated.

We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used and to tailor advertising. You can read more and make your cookie choices here. By continuing to use this site you are giving us your consent to do this.