Reference

show ssl cert

Available since

  • HAProxy 2.0
  • HAProxy Enterprise 2.0r1

List certificates used on frontends. As of version 2.4r1, list certificates used on backends.

Description Jump to heading

This command is useful for confirming that a certificate was updated correctly.

If a filename is prefixed by an asterisk in the result, it is a part of a transaction that has not yet been committed. Specify a filename to see details about a specific certificate. To display details on a transaction, prefix the filename with an asterisk.

As of version 2.5r1, to display the details of a certificate’s OCSP response, append the .ocsp extension to the filename. This method works for committed certificates as well as for ongoing transactions. On a committed certificate, this command is equivalent to calling show ssl ocsp-response with the certificate’s corresponding OCSP response ID.

The load balancer can update an SSL certificate that it loaded into memory at startup. The workflow to update a certificate is:

  1. Start a transaction that uploads the local certificate file into memory using set ssl cert.

  2. Commit the transaction to update the certificate using commit ssl cert.

Use show ssl cert to see the file before and after committing it. Pending files have an asterisk before their names.

Examples Jump to heading

View certificates loaded into the load balancer’s runtime memory:

nix
echo "show ssl cert" | \
sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "show ssl cert" | \
sudo socat stdio tcp4-connect:127.0.0.1:9999
output
text
# transaction
*/etc/hapee-2.9/certs/site.pem
# filename
/etc/hapee-2.9/certs/site.pem
output
text
# transaction
*/etc/hapee-2.9/certs/site.pem
# filename
/etc/hapee-2.9/certs/site.pem

View a specific certificate:

nix
echo "show ssl cert */etc/hapee-2.9/certs/site.pem" | \
sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "show ssl cert */etc/hapee-2.9/certs/site.pem" | \
sudo socat stdio tcp4-connect:127.0.0.1:9999
output
text
Filename: */etc/hapee-2.9/certs/site.pem
Status: Unused
Serial: 1F5202E02083861B302FFA09045721F07C865EFD
notBefore: Aug 12 17:05:34 2020 GMT
notAfter: Aug 12 17:05:34 2021 GMT
Subject Alternative Name:
Algorithm: RSA2048
SHA1 FingerPrint: C2958E4ABDF89447BF0BEDEF43A1A202213B7B4C
Subject: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local
output
text
Filename: */etc/hapee-2.9/certs/site.pem
Status: Unused
Serial: 1F5202E02083861B302FFA09045721F07C865EFD
notBefore: Aug 12 17:05:34 2020 GMT
notAfter: Aug 12 17:05:34 2021 GMT
Subject Alternative Name:
Algorithm: RSA2048
SHA1 FingerPrint: C2958E4ABDF89447BF0BEDEF43A1A202213B7B4C
Subject: /C=US/ST=Ohio/L=Columbus/O=Company/CN=example.local

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?