Export JSS Cert to be used by HAproxy

lehmanp00
Contributor III

HAproxy needs a .pem format. JSS uses the Java Keystore format. How to convert from one to the other so I can get SSL Termination working with HAProxy?

I tried using the JAMF "CA Backup" in JSS. That downloads a .p12 file and then converting that but HAproxy won't load that.

1 ACCEPTED SOLUTION

lehmanp00
Contributor III

We got this working and I wanted to give an overview in case others are looking for the same info:

Generate a private Key on your LoadBalancer (LB). We are using HAProxy with openssl. (openssl genrsa -out /location of.key 2048)

Generate a CSR from your LB. We used a wildcard for the FQDN (*.domain.com). (openssl req -new -key /location of private.key -out /location of .csr)

cat the .csr and copy all text, then visit: https://JSSPrimary/pkiCertificateAuthorities.html, click Create Certificate from CSR button, paste into textbox, choose web certificate, should generate a .pem file.

Copy the .pem file to the LB.

Then concatenate the generated pem and the haproxy private key below:
cat /location of .pem /location of .key > /location of new .pem

You can now add the new .pem file to your LB config for use. (in HAProxy it is in /etc/haproxy/haproxy.cfg)
(frontend localhost bind *:8443 ssl crt /location of new.pem)

View solution in original post

1 REPLY 1

lehmanp00
Contributor III

We got this working and I wanted to give an overview in case others are looking for the same info:

Generate a private Key on your LoadBalancer (LB). We are using HAProxy with openssl. (openssl genrsa -out /location of.key 2048)

Generate a CSR from your LB. We used a wildcard for the FQDN (*.domain.com). (openssl req -new -key /location of private.key -out /location of .csr)

cat the .csr and copy all text, then visit: https://JSSPrimary/pkiCertificateAuthorities.html, click Create Certificate from CSR button, paste into textbox, choose web certificate, should generate a .pem file.

Copy the .pem file to the LB.

Then concatenate the generated pem and the haproxy private key below:
cat /location of .pem /location of .key > /location of new .pem

You can now add the new .pem file to your LB config for use. (in HAProxy it is in /etc/haproxy/haproxy.cfg)
(frontend localhost bind *:8443 ssl crt /location of new.pem)