10. Load Balancer(Converting URLs from Http to Https) - CloudDarsh/OracleCloud GitHub Wiki

Install Java

Here the tool which we use to generate the details for getting certificate is Key Tool(JavaTool)

First we have to install this tool –

yum install java

image

Generate a private key

Make a directory for keytool –

mkdir keytool

Go inside the directory –

cd keytool

Inside this keytool directory, we have to run this command –

keytool -genkey -alias test -keyalg RSA -keysize 2048 -keystore keystore.jks

And we have to give the below details, here alias should be unique for each URL

YouTube Thumbnail (37)

Here CN  Common Name and OU Organisation Unit

Now we have to check the key generated so we have to run this command,

Keytool -list -keystore keystore.jks

image

If we want more details of this file , then we can run the same command using verbose

Keytool -list -keystore keystore.jks -v

YouTube Thumbnail (38)

Generate a CSR File

Now the private key is generated, using this private key we will generate a CSR final file which we have to give to the certificate provider to get the certificate. We have to run this command,

Keytool -certreq -keyalg RSA -alias test -file certreq.csr -keystore keystore.jks

image

We can read this file and copy the same to notepad for using it ahead While copying it to not copy the extra spaces, we can use Alt+Ctrl and select the content so that the spaces will not be copied.

image

Creating a Certificate

Now we have to go into the certificate provider website and login into the account,

Note: Here we are using free certificate provider for testing purpose, in real we will use other certificate providers.

image

Here we have to enter the domain name, click on next step

YouTube Thumbnail (53)

Select the validity of the certificate according the client’s requirement, click on next step image

In the next step we have to paste the CSR which we created,

image

In the next step, we can select the free plan and click on next step

image

In the next step we have to verify the domain, so we will select the DNS method to verify it. For this we have to make sure we have a domain account configured and we have purchased a domain.

YouTube Thumbnail (39)

In this we have to follow the mentioned steps,

YouTube Thumbnail (40)

Here in the DNS management portal we have to go inside DNS Management  Add New Record

YouTube Thumbnail (41)

Here we have to copy and paste the Name and Point to values in Name and Value column and click on save.

YouTube Thumbnail (54)

For double check, select yes option

YouTube Thumbnail (42)

This will take around 24hrs to get updated, once it is added we have to go and verify it in the certification page. Here click on next step

YouTube Thumbnail (43)

Now we have to click on verify domain

YouTube Thumbnail (45)

After getting verified ,we can see the certificate and we have to download it

YouTube Thumbnail (46)

Once the certificate is downloaded, we have to unzip it and certificate will be like this.

YouTube Thumbnail (51)

In this certificate, we have a certificate path also which will show the hierarchy of certificate

Here in the hierarchy from top to bottom,

  1. This is called the route certificate, it is basically a location where all the certificates are placed.
  2. This is called the Intermediate certificate, it is basically the location from where our certificate is generated.
  3. This is our URL certificate. Now we have got the certificate.

Next step is we have to get that key which we generated in our server.

Converting the private key into pem format

But the generated key is in jks format and cannot be directly converted into pem format –

Converting the private key from jks format to p12 format

Run the command,

keytool -importkeystore -srckeystore keystore.jks -destkeystore keystore.p12 -srcstoretype jks -deststoretype pkcs12

image

We can check and see the p12 format key will show in the directory

image

Converting the private key from p12 tp pem format

Here we have to run this command,

openssl pkcs12 -nodes -in keystore.p12 -out keystore.pem

And we can see the key is generated in pem format

image

We can read the private key  cat keystore.pem It will contain the private key as well as the certificate details as well.

Import the Certificate into Load Balancer

First we have to open the certificate and ca_bundle in notepad and paste the private key also in a notepad for using ahead. Now we have to go inside the load balancer  certificates In the Certificate Resource  select Load balancer managed certificate  Add Certificate

image

In this we have to give the name of the certificate(same as the domain name we gave while creating the private key) so that it will be easy to remember, and also we have to open the the certificate details, ca_bundle details in notepas and paste it here and and also the private key which we have copied in notepad.

image

After adding all these details, click on add certificate and it will be added

image

Now we have to go into Load balancer  Listeners  Edit Listener(from three dots) Change the protocol from HTTP  HTTPS Change to port from 80  443 Certificate Resource  Load balancer managed certificate Select the certificate name  Save.

image

We can see that HTTPS protocol is added in the listener

image

Now the Load balancer listener will work on https URLs. Now when we try to open the load balancer URL from HTTPS,

image

It is opening using HTTPS(this ‘not secure’ error is because we have used free certificate).

Converting the IP into URL(Mapping a name to our IP)

Now we have to convert our IP to a URL name. We have to go into the DNS management  Add New Record  Save  Yes.

YouTube Thumbnail (47)

Now we can try to open the load balancer URL with the name URL,