Configure SSL Endpoints and Certificates
A dedicated load balancer must have at least one certificate associated with it. To configure an SSL endpoint for your load balancer to serve to clients, provide a certificate and private key pair for your load balancer.
A load balancer can have multiple and independent SSL endpoints, each identified by its server certificate common name.
To associate an SSL endpoint, you must provide:
An unencrypted, PEM-encoded (Privacy-Enhanced Mail) certificate file.
A second file containing the private key of your PEM certificate.
The private key file must be passphraseless.
You can create both an unencrypted, PEM-encoded certificate file and a private key using
For example, to create a self-signed certificate and corresponding private key:
openssl req -newkey rsa:2048 -nodes -keyout example-com-private.pem -x509 -days 3000 -out example-com-crt.pem
When prompted, enter the certificate information.
Alternatively, you can pass a certificate information configuration file to the
For example, this certificate configuration file named
example-com.cfg defines the DNS domain
example.com that includes some SANs (Subject Alternate Names) for Mule applications
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name req_extensions = req_ext prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = San Francisco organizationName = MuleSoft commonName = example.com [ req_ext ] subjectAltName = @alt_names [alt_names] DNS.1 = app1.example.com DNS.2 = app2.example.com
You might want to create a wildcard certificate to support subdomain requests, for example, to support
example.com and include
app2.example.com, as well as any future subdomain names.
To create a wildcard certificate that maps any subdomain name to
Create a file that includes this configuration:
[ req ] default_bits = 2048 distinguished_name = req_distinguished_name prompt = no [ req_distinguished_name ] countryName = US stateOrProvinceName = California localityName = San Francisco organizationName = MuleSoft commonName = *.example.com
Pass the certificate configuration file in an
openssl req -newkey rsa:2048 -nodes -keyout example-com-private.pem -x509 -days 3000 -out example-com-crt.pem -config example-com.cfg
Decrypt the private key using
openssl rsa -in example-com-private.pem -out example-com-private-decrypted.pem
Typically, in a production environment, your certificate is signed by a valid Certificate Authority (CA). Each SSL endpoint can have multiple CA certificates and CRLs (Certificate Revocation Lists). You must provide each of these certificates in a single unencrypted, PEM-encoded file. Ordering is not important for independent CA certificates, but certificates in a chain of trust must be concatenated.