We recently started using new Load Balancers called HAProxy. It was a bit of a learning curve for me as I think of myself as more of a Windows Admin!

We do a lot of hosting so generating an SSL certificate is a common request. Prereqs for this solution are Putty and WinSCP.

1. SSH to HAProxy using putty.

2. Enter the following command to generate the CSR file

openssl req -new -newkey rsa:2048 -sha256 -nodes -keyout yourdomain.key -out yourdomain.csr

3. You will be prompted to enter information about the cert.


4. At this point you might want to check your CSR to make sure you didn’t make any mistakes. I made a typo once and this caused me some issues down the line!

openssl req -text -noout -verify -in  yourdomain.csr


5. Next Cat the contents of the file to screen.

cat yourdomain.csr

cat csr

6. Copy the contents and use this to request a certificate from a Public CA. I used Comodo, but you can use any public CA.

7. Once you have received your certificate back from the CA you need to copy the files to the Load Balancer using WinSCP. Copy the files to your home directory.

8. The next step is to compile all the relevant files into a .pem file. The file needs to contain the Private key, Certificate & the CA Bundle (or individual intermediate & root certs)

It is vital that the pem file has all the required certificates in the correct order. The order is as follows:


(Your Private Key: your_domain_name.key) —



(Your Primary SSL certificate:




(Your Intermediate certificate: DigiCertCA.crt)



(Your Root

certificate: TrustedRoot.crt)


cat yourdomain.key >> yourdomain.pem
cat yourdomain.crt >> yourdomain.pem
cat yourdomain.ca-bundle >> yourdomain.pem
cat pem

9. Check the PEM file is working by running the following command:

openssl verify yourdomain_com.pem

The command should return some information about the cert. If it returns an error you know something is wrong!

10. Next we need to copy the file to following location: /etc/haproxy/certs

sudo mv /home/yourusername/yourdomain.pem /etc/haproxy/certs

11. The final process is to edit the HAProxy config file. We need to a bind a new IP address on port 443 to our certificate .pem file on the Front End of the Load Balancer.

cd /etc/haproxy
ls -lh

You can take a look at the config first to familiarize yourself:

cat haproxy.cfg

For best practice, backup the haproxy.cfg file first so that you can easily restore after an error:

sudo cp haproxy.cfg haproxy{INSERT DATE HERE}.cfg

To restore you can use the same command:

cp haproxy14102015.cfg haproxy.cfg

To edit use vi editor:

sudo vi haproxy.cfg

type i – to insert a line

when finished press ESC then :wq – to save and quit

I inserted the following line:

bind   ssl crt /etc/haproxy/certs/mydomain.pem


Before the changes will take effect you have to restart the HAProxy service. To be safe it’s best to verify your file before you reload or the load balancer might not start!

haproxy -f /etc/haproxy/haproxy.cfg -c


Now we can restart:

sudo service haproxy restart
sudo service haproxy status


At this point I like to back up the haproxy.config file and certificate .pem

You should now be done! Make sure you test the SSL functions as expected:


Useful page with configuration & troubleshooting commands:


We use cookies to give you the best online experience. By agreeing you accept the use of cookies in accordance with our cookie policy.

Privacy Settings saved!
Privacy Settings

When you visit any web site, it may store or retrieve information on your browser, mostly in the form of cookies. Control your personal Cookie Services here.

These cookies are necessary for the website to function and cannot be switched off in our systems.

In order to use this website we use the following technically required cookies
  • wordpress_test_cookie
  • wordpress_logged_in_
  • wordpress_sec

Decline all Services
Accept all Services