Multi-certificate SSL for HAProxy


Some applications require multiple SSL certificates to function (for example if they serve multiple domains). To configure HAproxy as a termination point for multiple certificates, follow the steps below. Remember to replace placeholder (e.g. websitename) with your own values.

This guide assumes you are familiar with Cloud 66 Toolbelt. If you aren’t we have a quick guide to get you up and running.

1. Concatenate the certificate files

Run the following command on your local machine:

cat CERT1.CRT_PATH [CERT1_MID.crt_path] PRIVATE1.key_PATH > websitename1.pem

cat CERT2.CRT_PATH [CERT2_MID.crt_PATH] PRIVATE2.key_PATH > websitename2.pem

2. Upload them to /tmp on the server

cx upload -s app_name --server haproxy_server_name websitename1.pem_PATH websitename1.pem
cx upload -s app_name --server haproxy_server_name websitename2.pem_PATH websitename2.pem

3. Log into your HAproxy server

cx ssh -s app_name haproxy_server_name

4. Copy the cert files from /tmp to their directory

sudo cp /tmp/websitename1.pem /etc/ssl/private/websitename1.pem
sudo cp /tmp/websitename2.pem /etc/ssl/private/websitename2.pem

5. Change the settings in your HAproxy config

In the UI Find the following line in your HAproxy config page:

bind ssl crt

and change it to:

bind ssl crt websitename1.pem crt websitename2.pem


Make sure websitename1.pem and websitename2.pem are the same names as the filenames you have under /etc/ssl/private/.