HAProxy Enterprise Documentation 2.3r1

new ssl cert

Add a new, empty SSL certificate store.

Description

Use the new ssl cert command to create an empty slot for a certificate in HAProxy Enterprise's memory.

Examples

$ echo -e "new  ssl cert /etc/haproxy/certs/new_certificate.pem" | socat tcp-connect:127.0.0.1:9999 -
New empty certificate store '/etc/haproxy/certs/new_certificate.pem'!

Contextual Example

This operation will generally be performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to HAProxy Enterprise's running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.

  1. Add a CRT list to your HAproxy Enterprise configuration file on a bind line:

    frontend fe_main
   mode http
   bind :80
   bind :443 ssl crt-list /etc/hapee-2.3/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.
   http-request redirect scheme https unless { ssl_fc }
   default_backend servers

  2. Use the new ssl cert command to create an empty slot for a certificate in HAProxy's memory

    $ echo -e "new  ssl cert /etc/hapee-2.3/certs/new_certificate.pem" | socat tcp-connect:192.168.1.10:9999 -
New empty certificate store '/etc/hapee-2.3/certs/new_certificate.pem'!

  3. Begin a transaction to upload the certificate into that slot by using the set ssl cert command.

    The new certificate should be in your local working directory.

    $ echo -e "set ssl cert /etc/hapee-2.3/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | socat tcp-connect:192.168.1.10:9999 -
Transaction created for certificate /etc/hapee-2.3/certs/new_certificate.pem!

  4. Commit the transaction:

    $ echo -e "commit ssl cert /etc/hapee-2.3/certs/new_certificate.pem" | socat tcp-connect:192.168.1.10:9999 -
Committing /etc/hapee-2.3/certs/new_certificate.pem
Success!

  5. Add a line to the CRT list, to add the certificate, cipher suite and SNI options:

    $ echo -e "add ssl crt-list /etc/hapee-2.3/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | socat tcp-connect:192.168.1.10:9999 -
Inserting certificate '/etc/hapee-2.3/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.
Success!

  6. Use show ssl crt-list to verify that the CRT list was updated correctly:

    $ echo "show ssl crt-list /etc/hapee-2.3/certificate-list.txt" | socat tcp-connect:192.168.1.10:9999 -# /etc//haproxy/certificate-list.txt
/etc/hapee-2.3/certs/site.pem
/etc/hapee-2.3/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
/etc/hapee-2.3/certs/new_certificate.pem [alpn h2] mysite.local

  7. Use del ssl crt-list to delete an entry from the CRT list:

    $ echo -e "del ssl crt-list /etc/hapee-2.3/new_certificate.pem" | socat tcp-connect:127.0.0.1:9999 -
Entry '/etc/hapee-2.3/new_certificate.pem' deleted in crtlist '/etc/hapee-2.3/certificate-list.txt'!

See also

Next up

operator