Generate an HAProxy server certificate for testing

this section covers the following tasks install haproxy generate a key pair on the vectera plus by using pkcs11 tool generate a self signed certificate for haproxy by using openssl store a reference to the hsm stored private key inside a special pem object with the label pkcs#11 provider uri this object is a container for the pkcs #11 uri and contains no keying material install opensc to generate a new key pair on the {{vectera}} , use pkcs11 tool , which is included in the opensc package available through the default package manager in most linux distributions in a terminal, run the following commands to update the package index and install haproxy sudo apt update sudo apt install opensc generate a key pair perform the following steps to generate a key pair on the {{vectera}} using pkcs11 tool in a terminal, run the following command pkcs11 tool module $fxpkcs11 module login keypairgen key type rsa 2048 label "haproxy" id "123456" usage sign usage decrypt usage wrap if you haven't set the fxpkcs11 module environment variable to the location of the fxpkcs11 library file, update the module parameter to specify the full path to the module (such as /usr/local/bin/fxpkcs11/libfxpkcs11 so ) enter the identity password configured in the fxpkcs11 cfg file when prompted for the user pin if the command succeeds, the keys display in the output, as shown in the following example key pair generated private key object; rsa label haproxy id 123456 usage decrypt, sign, signrecover, unwrap access sensitive, local public key object; rsa 2048 bits label haproxy id 123456 usage encrypt, verify, verifyrecover, wrap access local the command creates the following keys a private rsa 2048 key with asymmetric decrypt, sign, signrecover, and unwrap usage a public rsa 2048 key with encrypt, verify, verifyrecover, and wrap usage 3 | generate a self signed certificate use openssl to perform the following steps to use openssl to generate a self signed certificate for haproxy from the key pair stored on the hsm in a terminal, run the following command openssl req new x509 provider pkcs11 key "pkcs11\ object=haproxy;type=private" out haproxy cert pem subj "/cn=haproxy" days 365 if the command is successful, your current directory contains a new file named haproxy cert pem create a reference to the private key perform the following steps to create a reference to the hsm store private key by using the uri2pem py script download the uri2pem py script ( gist github com/space88man/22ef88c506fc84ae5f333ee7268e0e14 ) install the asn1crypto dependency, which you need to run the uri2pem py script sudo apt install python3 asn1crypto run the script with the following command python3 uri2pem py 'pkcs11\ object="haproxy;type=private' if the script completes without any errors, the special pem stanza outputs to the terminal in the following format begin pkcs#11 provider uri mecagvblq1mjmteguhjvdmlkzxigvvjjihyxljamknbry3mxmtpvymply3q9im15 x3jzytiwndhfa2v5o3r5cgu9chjpdmf0zq== \ end pkcs#11 provider uri the preceding stanza decodes to the pkcs #11 uri of the private key stored on the hsm this object is a container for the pkcs #11 uri and contains no keying material copy and paste the pkcs#11 provider uri output into a new file and name it haproxy cert pem key be sure to include the begin and end lines