Generate an HAProxy server certificate for testing

5min
This section covers the following tasks: 
Install haproxy.
Generate a key pair on the Vectera Plus by using pkcs11-tool.
Generate a self-signed certificate for HAProxy by using OpenSSL.
Store a reference to the HSM-stored private key inside a special PEM object with the label PKCS#11 PROVIDER URI. This object is a container for the PKCS #11 URI and contains no keying material.
1 | Install OpenSC
To generate a new key pair on the , use pkcs11-tool, which is included in the OpenSC package available through the default package manager in most Linux distributions.
1
In a terminal, run the following commands to update the package index and install haproxy:
Shell
sudo apt update

sudo apt install opensc
sudo apt update

sudo apt install opensc
﻿
2 | Generate a key pair on the  using pkcs11-tool
1
In a terminal, run the following command:
Shell
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "HAProxy" --id "123456" --usage-sign --usage-decrypt --usage-wrap
pkcs11-tool --module $FXPKCS11_MODULE --login --keypairgen --key-type rsa:2048 --label "HAProxy" --id "123456" --usage-sign --usage-decrypt --usage-wrap
﻿
If you haven't set the FXPKCS11_MODULE environment variable to the location of the FXPKCS11 library file, update the --module parameter to specify the full path to the module (such as /usr/local/bin/fxpkcs11/libfxpkcs11.so).
2
Enter the identity password configured in the fxpkcs11.cfg file when prompted for the User PIN.
If the command succeeds, the keys display in the output, as shown in the following example:
Shell
Key pair generated:
Private Key Object; RSA
  label:      HAProxy
  ID:         123456
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, local
Public Key Object; RSA 2048 bits
  label:      HAProxy
  ID:         123456
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
Key pair generated:
Private Key Object; RSA
  label:      HAProxy
  ID:         123456
  Usage:      decrypt, sign, signRecover, unwrap
  Access:     sensitive, local
Public Key Object; RSA 2048 bits
  label:      HAProxy
  ID:         123456
  Usage:      encrypt, verify, verifyRecover, wrap
  Access:     local
﻿
The command creates the following keys:
A private RSA 2048 key with asymmetric decrypt, sign, signRecover, and unwrap usage
A public RSA 2048 key with encrypt, verify, verifyRecover, and wrap usage.
3 | Generate a self-signed certificate for HAProxy by using OpenSSL
Use OpenSSL to perform the following steps to generate a self-signed certificate for HAProxy from the key pair stored on the HSM.
1
In a terminal, run the following command:
Shell
openssl req -new -x509 -provider pkcs11 -key "pkcs11:object=HAProxy;type=private" -out haproxy-cert.pem -subj "/CN=HAProxy" -days 365
openssl req -new -x509 -provider pkcs11 -key "pkcs11:object=HAProxy;type=private" -out haproxy-cert.pem -subj "/CN=HAProxy" -days 365
﻿
If the command is successful, your current directory contains a new file named haproxy-cert.pem.
4 | Create a reference to the HSM-store private key by using the uri2pem.py script
1
Download the uri2pem.py script.
2
Install the asn1crypto dependency, which you need to run the uri2pem.py script.
Shell
sudo apt install python3-asn1crypto
sudo apt install python3-asn1crypto
﻿
3
Run the script with the following command:
Shell
python3 uri2pem.py 'pkcs11:object="HAProxy;type=private'
python3 uri2pem.py 'pkcs11:object="HAProxy;type=private'
﻿
If the script completes without any errors, the special PEM stanza outputs to the terminal in the following format:
Text
-----BEGIN PKCS#11 PROVIDER URI-----
MEcaGVBLQ1MjMTEgUHJvdmlkZXIgVVJJIHYxLjAMKnBrY3MxMTpvYmplY3Q9Im15
X3JzYTIwNDhfa2V5O3R5cGU9cHJpdmF0ZQ==
-----END PKCS#11 PROVIDER URI-----
-----BEGIN PKCS#11 PROVIDER URI-----
MEcaGVBLQ1MjMTEgUHJvdmlkZXIgVVJJIHYxLjAMKnBrY3MxMTpvYmplY3Q9Im15
X3JzYTIwNDhfa2V5O3R5cGU9cHJpdmF0ZQ==
-----END PKCS#11 PROVIDER URI-----
﻿
The preceding stanza decodes to the PKCS #11 URI of the private key stored on the HSM. This object is a container for the PKCS #11 URI and contains no keying material.
4
Copy and paste the PKCS#11 PROVIDER URI output into a new file and name it haproxy-cert.pem.key. Be sure to include the BEGIN and END lines.
﻿
Configure FxPKCS11 as a pkcs11-provider in OpenSSL
Configure HAProxy