API
Edge Cloud
Edge Cloud
Overview
Overview
Activate and manage you eSIMGetting online in China
Troubleshooting
Account types and permissionsPackagesQuality of Service
Billing
Quotas
Create a project
User rolesAdd a userManage accessView user actions
Cost reports
About Resource reservation
Types of Virtual MachinesCreateCustomize initial setupCheck the statusEnable root user
Connect via Customer Portal
Configure and manage SSH keysConvert an SSH key to PPK formatEstablish SSH connection to a Virtual Machine
OverviewConfigure
OverviewCreate and configure
Monitor
Take a snapshot of your file systemSet up automatic snapshots
SSH connection
About Bare Metal serversTypes of Bare Metal serversCreate a Bare Metal serverConnect to your Bare Metal server via SSH
SSH connection
About Advanced DDoS Protection for Bare MetalActivate Advanced DDoS Protection for Bare Metal
OverviewUpload
NetworkSubnetworkRouter
Floating IP addressReserved IP addressVirtual IP addressDifference between virtual, floating, and reserved IP addressesAllowed address pair
Create Load BalancerAdd TLS certificates to a Load BalancerConfigure mutual TLS authenticationManage Load BalancersLoggingAnnotations
Firewall
OverviewConfigure
OverviewBare Metal support
Create
SSH connectionkubectl
Secure cluster with OpenID Connect
OverviewChange limitsCreate and configure a poolAdvanced autoscaler settingsConfigure GPU autoscaling for Kubernetes
Add users with limited rights to a Kubernetes cluster
Monitor load on a specific node
OverviewInstall nginx ControllerUse nginx Controller
Create a PVC and bind it to a podConfigure NFS CSI driver for Kubernetes
Annotations for Load Balancers
Manage PostgreSQL serversBackup and restore
Upload a PKCS12 file
Function as a ServiceAuthenticate to functions with API keysFunction examples
Create a containerDeploy via GitHub actionsManage containers
Create a Container RegistryManage Container Registries
OverviewConfigure
FilebeatFluent BitFluentdLogstash
Prometheus exporterView logs in Grafana with OpenSearch plugin
TerraformAnsible
Set up a mailing server
API
Chosen image
Home/Edge Cloud/Secrets Manager/Upload a PKCS12 file

Configure Secrets for HTTPS Load Balancer

Secrets Manager is a dedicated tab where you can manage SSL/TLS secrets required to create Load Balancers with HTTPS listeners. Depending on your setup, you can either upload a PKCS12 file or add certificate details manually.

Upload a PKCS12 File

If you already have a PKCS12 file containing your SSL/TLS certificate, certificate chain, and private key, you can quickly upload it to the Secrets Manager.

To upload a secret as a PKCS12 file:

  1. In the Gcore Customer Portal, navigate to Cloud.

  2. Open the Secrets Manager page.

  3. Click Create Secret.

Upload a PKCS12 file
  1. Enable Upload as PKCS12 file.
Enable Upload as PKCS12 file

  1. Enter a name for your secret and choose your file.

  2. Click Save.

Add certificates directly

If you don't have a PKCS12 file or prefer to add the certificate details individually, you can enter them directly in the Secrets Manager.

To add a secret manually:

  1. In the Gcore Customer Portal, navigate to Cloud.

  2. Open the Secrets Manager page.

  3. Click Create Secret.

Add certificates directly

  1. In the form that opens, fill in the following fields:

    • Enter a name for your secret.
    • Paste the content of your private key file.
    • Paste the content of your main SSL/TLS certificate file.
    • If required, paste the content of the certificate chain file. This should include root and intermediate certificates in the correct order.

  2. Click Save.

Create a PKCS12 file

PKCS12 (Public-Key Cryptography Standards) is a binary format for storing SSL/TLS certificate, certificate chain, and private key in one encrypted file.

Basically, you "pack" the main SSL/TLS certificate, the certificate chain, and the private key into the PKCS12 file to transfer them easily. Each element is essential for establishing an HTTPS connection:

  • The main certificate is a digital signature of the site, which confirms that the resource actually belongs to you and not to criminals who impersonate you.
  • The certificate chain is information about the CAs (certificate authorities) that participated in the issuance of your certificate and confirm its authenticity.
  • The private key is a unique set of letters and numbers (key), using which the cryptographic algorithm will encrypt all data exchanged between the resource and a user.

After receiving the PKCS12 file, our system will be able to open an HTTPS connection. You only need to put the files associated with the certificate in base64 encoded PKCS12 file and upload it to the Secrets Manager.

1. Prepare certificate files

You need the SSL/TLS certificate for the domain, the chain of certificates, and the private key. The domain must be configured with a DNS A record with the virtual IP address of the Load Balancer (the IP is specified in the Load Balancers tab). If you are using our DNS zone, you can create an A record according to the instructions. Your domain will send requests to the IP of the balancer and it will distribute them among the machines.

CA does not always send a client a chain of certificates along with the main certificate — sometimes it only sends the main one, because often it is enough for browsers to confirm the domain name. In this case, you can get the certificate chain yourself:

  1. Download the root and intermediate certificates from the site of the CA that issued you the certificate.
  2. Create the file in any text editor.
  3. Inside the created file, place the contents of the certificates in the following order: root certificate, then intermediate certificates in order, the certificate for the domain in the end. Like this:
  • Content of the root certificate (for example, CARoot.crt)
  • Content of the intermediate certificate no. 1 (for example, Intermediate1.crt)
  • Content of the intermediate certificate no. 2 (for example, Intermediate2.crt)
  • Content of the certificate for the domain (for example, domain.crt)

2. Merge certificate files into PKCS12

Now you have all the files needed. There are several ways to merge them into PKCS12 format. Below we describe a common case — creating PKCS12 from PEM files.

1. Install OpenSSL. This is a library containing tools for working with SSL/TLS protocols. You can find installation links and instructions for working with OpenSSL on its official website. 2. Check if your certificate files are in PEM format. Such files must have the extension .pem, .crt, .cer or .key, begin with the line ----- BEGIN CERTIFICATE ----- and end with the line ----- END CERTIFICATE -----. To see the beginning and the end of a file, open it in a text editor. 3. If some files are not in PEM, convert them using OpenSSL. Enter the command in OpenSSL, replacing the text in square brackets with your names:

For a .crt, .cer or .der file

openssl x509 - inform der - in [name of your file, including extension] - out [name for the future generated PEM file].pem

If your file is named "example.der" and you want to name the new PEM file "PEMcertificate", then the command would be: openssl x509 -inform der -in example.der -out PEMcertificate.pem

For a .p7b or .p7c file

openssl pkcs7 -print_certs -in [name of your file, including extension] -out [name for the future generated PEM file].cer

If your file is named "example.pb7" and you want to name the new PEM file "PEMcertificate", then the command would be: 

openssl pkcs7 -print_certs -in example.pb7 -out PEMcertificate.cer

4. Place the main certificate, key, and intermediate certificate chain (three PEM files in total) in the current directory.

5. To merge files into PKCS12, open OpenSSL and enter the command:

openssl pkcs12 -export -inkey [name of the file with the private key, including the extension] -in [name of the file with the certificate, including the extension] -certfile [name of the file with the certificate chain, including the extension] -passout pass: -out [name for the future created file].p12

If your files are server.crt (main certificate), server.key (private key) and ca-chain.crt (certificate chain), and you want to name the new PKCS 12 file "server", then the command would be: 

openssl pkcs12 -export -inkey server.key -in server.crt -certfile ca-chain.crt -passout pass: -out server.p12

As a result, you will merge the key, certificate, and intermediate certificate chain into one PKCS12 file.

3. Base64 encode

Encode the contents of PKCS12 file to base64. This can be done by entering the command in the console:

For Windows OS

certutil.exe -encode [full path to PKCS12 file] [new file name].b64

If the path to your file is "C:\Users\Myname\server.p12" and you want to name the new file "code64", then the command will be: certutil.exe -encode C:\Users\Myname\server.p12 code64.b64

A new base64 encoded file will be created. Open it in a text editor and delete the first and the last lines: ----- BEGIN CERTIFICATE ----- and ----- END CERTIFICATE -----. They are generated automatically and you don't need them. The rest of the text will be the content of the Secret.

For Mac OS

openssl base64 -in [full path to PKCS12 file] -out [new file name].txt

If the path to your file is "Users/admin/Downloads/server.p12" and you want to name the new file "code64", then the command will be: openssl base64 -in Users/admin/Downloads/server.p12 -out code64.txt

A new .txt file will be created with the base64 encoded contents of the PKCS12 file. This is the content of the Secret.

For Linux (must be executed in the directory of PKCS12 file)

base64 [PKCS12 file name] > [new file name]

If your file is named "server.p12" and you want to name the new file "code64" then the command will be: base64 server.p12 > code64

A new code64 file with the contents of the base64 encoded PKCS12 file will be created. This is the content of the Secret. The file can be opened using the command: nano code64.

How to create a Load Balancer with an HTTPS Listener

You cannot delete a secret that is currently used by a Load Balancer’s listener. To remove a secret, first delete the associated listener, then remove the secret. If needed, recreate the listener afterward.

For detailed instructions on configuring a Load Balancer with an HTTPS listener, including adding TLS certificates, refer to the documentation on adding TLS certificates to a Load Balancer.

Was this article helpful?

Not a Gcore user yet?

Discover our offerings, including virtual instances starting from 3.7 euro/mo, bare metal servers, AI Infrastructure, load balancers, Managed Kubernetes, Function as a Service, and Centralized Logging solutions.

Go to the product page
Edit on GitHub