HAProxy Enterprise Documentation 2.4r1

new ssl cert

Add a new, empty SSL certificate store.

Description

Use the new ssl cert command to create an empty slot for a certificate in HAProxy Enterprise's memory.

Examples

$ echo -e "new  ssl cert /etc/hapee-2.4/certs/new_certificate.pem" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
New empty certificate store '/etc/hapee-2.4/certs/new_certificate.pem'!

Contextual Example

This operation is generally performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to HAProxy Enterprise's running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.

  1. Add a CRT list to your HAProxy Enterprise configuration file on a bind line:

    frontend fe_main
   mode http
   bind :80
   bind :443 ssl crt-list /etc/hapee-2.4/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.
   http-request redirect scheme https unless { ssl_fc }
   default_backend servers

  2. Use the new ssl cert command to create an empty slot for a certificate in HAProxy's memory.

    $ echo -e "new  ssl cert /etc/hapee-2.4/certs/new_certificate.pem" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
    New empty certificate store '/etc/hapee-2.4/certs/new_certificate.pem'!

  3. Begin a transaction to upload the certificate into that slot by using the set ssl cert command.

    The new certificate should be in your local working directory.

    $ echo -e "set ssl cert /etc/hapee-2.4/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
    Transaction created for certificate /etc/hapee-2.4/certs/new_certificate.pem!

  4. Commit the transaction:

    $ echo -e "commit ssl cert /etc/hapee-2.4/certs/new_certificate.pem" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
    Committing /etc/hapee-2.4/certs/new_certificate.pem
Success!

  5. Add a line to the CRT list, to add the certificate, cipher suite, and SNI options:

    $ echo -e "add ssl crt-list /etc/hapee-2.4/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
    Inserting certificate '/etc/hapee-2.4/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.
Success!

  6. Use show ssl crt-list to verify that the CRT list was updated correctly:

    $ echo "show ssl crt-list /etc/hapee-2.4/certificate-list.txt" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
    # /etc//haproxy/certificate-list.txt
/etc/hapee-2.4/certs/site.pem
/etc/hapee-2.4/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
/etc/hapee-2.4/certs/new_certificate.pem [alpn h2] mysite.local

  7. When needed, use del ssl crt-list to delete an entry from the CRT list in memory:

    $ echo -e "del ssl crt-list /etc/hapee-2.4/certificate-list.txt /etc/hapee-2.4/new_certificate.pem" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.4/hapee-lb.sock
    Entry '/etc/hapee-2.4/new_certificate.pem' deleted in crtlist '/etc/hapee-2.4/certificate-list.txt'!

See also

Next up

operator