PEM file layout for HAProxy

By jgottschlich18. April 2017

To use Loadbalancer-as-a-Service with the HAProxy driver and SSL termination, you usually acquire a certificate from a CA.

This results in three files:

  • The secret key you created (PEM format)
  • The certificate itself, usually ending in .crt (PEM format)
  • The intermediate certificates, also called bundle or chain (PEM format)

Now what is the right order to concatenate those files for HAProxy?

The chain hierarchy of the certificates needs to go upside down in the PEM file, so:

  1. The Certificate for your domain
  2. The intermediates in ascending order to the Root CA
  3. A Root CA, if any (usually none)
  4. Private Key

If you want to include a private key as well, it apparently does not matter if it’s at the beginning or at the end, but we put it in the end.

So an easy command would be:

cat certificate.crt intermediates.pem private.key > ssl-certs.pem

You can add this file in HAProxy with a line like this for example in a frontend section:

bind *:443 ssl crt ssl-certs.pem

You like going deep and fixing stuff? We’re always looking for great engineers! Check out our Job Openings.