> ## Documentation Index
> Fetch the complete documentation index at: https://docs.futurex.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Generate an HAProxy server certificate for testing

> Step-by-step guide to generate a self-signed HAProxy server certificate using OpenSC and HSM.

This section covers the following tasks:

1. Install **haproxy**.
2. Generate a key pair on the Vectera Plus by using **pkcs11-tool**.
3. Generate a self-signed certificate for HAProxy by using OpenSSL.
4. Store a reference to the HSM-stored private key inside a special PEM object with the label `PKCS#11 PROVIDER URI`. This object is a container for the PKCS #11 URI and contains no keying material.

## Install OpenSC

To generate a new key pair on the Vectera Plus, use **pkcs11-tool**, which is included in the [**OpenSC**](https://github.com/OpenSC/OpenSC) package available through the default package manager in most Linux distributions.

In a terminal, run the following commands to update the package index and install **haproxy**:

```shell expandable lines wrap title="Shell" theme={null}
sudo apt update

sudo apt install opensc
```

## Generate a key pair

Perform the following steps to generate a key pair on the Vectera Plus using **pkcs11-tool**:

<Steps>
  <Step>
    In a terminal, run the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "HAProxy" --id "123456" --usage-sign --usage-decrypt --usage-wrap
    ```

    <Note>
      If you haven't set the `FXPKCS11_MODULE` environment variable to the location of the FXPKCS11 library file, update the `--module` parameter to specify the full path to the module (such as `/usr/local/bin/fxpkcs11/libfxpkcs11.so`).
    </Note>
  </Step>

  <Step>
    Enter the identity password configured in the `fxpkcs11.cfg` file when prompted for the User PIN.

    <Check>
      If the command succeeds, the keys display in the output, as shown in the following example:

      ```shell expandable lines wrap title="Shell" theme={null}
      Key pair generated:
      Private Key Object; RSA
        label:      HAProxy
        ID:         123456
        Usage:      decrypt, sign, signRecover, unwrap
        Access:     sensitive, local
      Public Key Object; RSA 2048 bits
        label:      HAProxy
        ID:         123456
        Usage:      encrypt, verify, verifyRecover, wrap
        Access:     local
      ```

      The command creates the following keys:

      * A private RSA 2048 key with asymmetric decrypt, sign, signRecover, and unwrap usage
      * A public RSA 2048 key with encrypt, verify, verifyRecover, and wrap usage.
    </Check>
  </Step>
</Steps>

## 3 | Generate a self-signed certificate

Use OpenSSL to perform the following steps to use OpenSSL to generate a self-signed certificate for HAProxy from the key pair stored on the HSM.

<Steps>
  <Step>
    In a terminal, run the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    openssl req -new -x509 -provider pkcs11 -key "pkcs11:object=HAProxy;type=private" -out haproxy-cert.pem -subj "/CN=HAProxy" -days 365
    ```

    <Check>
      If the command is successful, your current directory contains a new file named `haproxy-cert.pem`.
    </Check>
  </Step>
</Steps>

## Create a reference to the private key

Perform the following steps to create a reference to the HSM-store private key by using the `uri2pem.py` script:

<Steps>
  <Step>
    Download the `uri2pem.py` script ([**gist.github.com/space88man/22ef88c506fc84ae5f333ee7268e0e14**](https://gist.github.com/space88man/22ef88c506fc84ae5f333ee7268e0e14)).
  </Step>

  <Step>
    Install the **asn1crypto** dependency, which you need to run the `uri2pem.py` script.

    ```shell expandable lines wrap title="Shell" theme={null}
    sudo apt install python3-asn1crypto
    ```
  </Step>

  <Step>
    Run the script with the following command:

    ```shell expandable lines wrap title="Shell" theme={null}
    python3 uri2pem.py 'pkcs11:object="HAProxy;type=private'
    ```

    <Check>
      If the script completes without any errors, the special PEM stanza outputs to the terminal in the following format:

      ```none expandable lines wrap title="None" theme={null}
      -----BEGIN PKCS#11 PROVIDER URI-----
      MEcaGVBLQ1MjMTEgUHJvdmlkZXIgVVJJIHYxLjAMKnBrY3MxMTpvYmplY3Q9Im15
      X3JzYTIwNDhfa2V5O3R5cGU9cHJpdmF0ZQ==
      -----END PKCS#11 PROVIDER URI-----
      ```
    </Check>

    <Note>
      The preceding stanza decodes to the PKCS #11 URI of the private key stored on the HSM. This object is a container for the PKCS #11 URI and contains no keying material.
    </Note>
  </Step>

  <Step>
    Copy and paste the `PKCS#11 PROVIDER URI` output into a new file and name it `haproxy-cert.pem.key`. Be sure to include the **BEGIN** and **END** lines.
  </Step>
</Steps>
