HashiCorp Boundary uses TLS to secure all control and data plane traffic. By default, it can generate self-signed certificates, but production deployments should integrate with OpenSSL to create valid certificates signed by a trusted CA. This ensures clients verify the controller and workers without manual trust exceptions.
To configure Boundary with OpenSSL, start by generating a private key:
openssl genrsa -out boundary.key 2048
Then create a certificate signing request (CSR):
openssl req -new -key boundary.key -out boundary.csr
Provide accurate Common Name (CN) or Subject Alternative Names (SAN) matching your Boundary endpoint. Once the CSR is ready, sign it with your CA or use your enterprise PKI:
openssl x509 -req -in boundary.csr -CA ca.crt -CAkey ca.key -CAcreateserial -out boundary.crt -days 365 -sha256
Update your Boundary configuration file with the paths to boundary.crt and boundary.key. For the controller, this is set under the listener "tcp" block:
listener "tcp"{
address = "0.0.0.0:9200"
purpose = "api"
tls_cert_file = "/etc/boundary/ssl/boundary.crt"
tls_key_file = "/etc/boundary/ssl/boundary.key"
}
Restart the Boundary service to apply changes. Verify with openssl s_client -connect boundary.example.com:9200 to confirm the certificate chain is valid and trusted.
Using OpenSSL with HashiCorp Boundary gives you full control over certificate parameters, expiration dates, and cipher suites. This closes security gaps, avoids browser warnings, and meets compliance standards. It also reduces friction for automation scripts and service accounts connecting to Boundary-secured resources.
Set it up once, test with a staging certificate, then roll the same pattern across your controllers and workers. Trust in your TLS layer makes every Boundary session safer.
See it live in minutes—build and test your own Boundary + OpenSSL deployment now at hoop.dev.