Skip to main content
Solved

Export JSS Cert to be used by HAproxy

  • October 29, 2018
  • 1 reply
  • 8 views
L
Forum|alt.badge.img+11

HAproxy needs a .pem format. JSS uses the Java Keystore format. How to convert from one to the other so I can get SSL Termination working with HAProxy?

I tried using the JAMF "CA Backup" in JSS. That downloads a .p12 file and then converting that but HAproxy won't load that.

Best answer by lehmanp00

We got this working and I wanted to give an overview in case others are looking for the same info:

Generate a private Key on your LoadBalancer (LB). We are using HAProxy with openssl. (openssl genrsa -out /location of.key 2048)

Generate a CSR from your LB. We used a wildcard for the FQDN (*.domain.com). (openssl req -new -key /location of private.key -out /location of .csr)

cat the .csr and copy all text, then visit: https://JSSPrimary/pkiCertificateAuthorities.html, click Create Certificate from CSR button, paste into textbox, choose web certificate, should generate a .pem file.

Copy the .pem file to the LB.

Then concatenate the generated pem and the haproxy private key below:
cat /location of .pem /location of .key > /location of new .pem

You can now add the new .pem file to your LB config for use. (in HAProxy it is in /etc/haproxy/haproxy.cfg)
(frontend localhost bind *:8443 ssl crt /location of new.pem)

    1 reply

    L
    Forum|alt.badge.img+11
    • lehmanp00
    • Author
    • Valued Contributor
    • 207 replies
    • Answer
    • November 27, 2018

    We got this working and I wanted to give an overview in case others are looking for the same info:

    Generate a private Key on your LoadBalancer (LB). We are using HAProxy with openssl. (openssl genrsa -out /location of.key 2048)

    Generate a CSR from your LB. We used a wildcard for the FQDN (*.domain.com). (openssl req -new -key /location of private.key -out /location of .csr)

    cat the .csr and copy all text, then visit: https://JSSPrimary/pkiCertificateAuthorities.html, click Create Certificate from CSR button, paste into textbox, choose web certificate, should generate a .pem file.

    Copy the .pem file to the LB.

    Then concatenate the generated pem and the haproxy private key below:
    cat /location of .pem /location of .key > /location of new .pem

    You can now add the new .pem file to your LB config for use. (in HAProxy it is in /etc/haproxy/haproxy.cfg)
    (frontend localhost bind *:8443 ssl crt /location of new.pem)


    Terms & ConditionsCookie settingsAccessibility statement