abort ssl ca-file

Verify client certificates

The simplest way to configure an application to use a CA file for verifying client certificates is to specify the CA file or directory in the frontend configuration.

• Declare the CA file or directory in the frontend bind directive using the ca-file or ca-verify-file parameter. The argument passed to the ca-file parameter can be a specific CA file or a directory containing CA files. The file or directory must already exist.

  frontend fe_main
     mode http
     bind :80
     bind :443 ssl crt /etc/hapee-2.7/ssl.pem alpn h2 verify required ca-file /etc/hapee-2.7/intermediate-ca.crt ca-verify-file /etc/hapee-2.7/root-ca.crt
     http-request redirect scheme https unless { ssl_fc }
     default_backend servers

Use the Runtime API to update a CA file

There are Runtime API commands for modifying CA file contents during runtime.

You can:

• replace the contents of a CA file entirely using the set ssl ca-file command

• add certificates to the existing content using the add ssl ca-file command

• remove the contents of a CA file in memory using del ssl ca-file

To modify the runtime CA file, follow these steps.

1. To replace the CA file contents with new certificates, use the set ssl ca-file command.

   $ echo -e "set ssl ca-file /etc/hapee-2.7/intermediate-ca.crt <<\n$(cat ./new_certificate.pem)\n" | \
      sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

   transaction created for CA /etc/hapee-2.7/intermediate-ca.crt!

2. To add an entry to a CA file, use the add ssl ca-file command.

   $ echo -e "add ssl ca-file /etc/hapee-2.7/intermediate-ca.crt <<\n(cat ./new_certificate2.pem)\n" | \
      sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

   transaction updated for CA /etc/hapee-2.7/intermediate-ca.crt!

3. Updates to the CA file in memory do not take effect until the transaction is committed. Commit the transaction:

   $ echo -e "commit ssl ca-file /etc/hapee-2.7/intermediate-ca.crt" | \
      sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

   Committing /etc/hapee-2.7/intermediate-ca.crt
   Success!

4. Use show ssl ca-file to verify that the CA file was updated correctly:

   $ echo "show ssl ca-file /etc/hapee-2.7/intermediate-ca.crt" | \
      sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

   Filename: /etc/hapee-2.7/intermediate-ca.crt
   Status: Unused
   
   Certificate #1:
   Serial: 03BB662E4A45FE7E576F3C22195ADDC0
   notBefore: Nov  9 00:00:00 1994 GMT
   notAfter: Jan  7 23:59:59 2010 GMT
   Subject Alternative Name:
   Algorithm: RSA1000
   SHA1 FingerPrint: 4463A531B4BCA1004794612BC646D3BF8233846F
   Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
   Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
   
   Certificate #2:
   Serial: 04BB662E4A45FE7E576F3C22195AEDC0
   notBefore: Nov  9 00:00:00 1994 GMT
   notAfter: Jan  7 23:59:59 2010 GMT
   Subject Alternative Name:
   Algorithm: RSA1000
   SHA1 FingerPrint: 2463A531B4BCA1004794212BC646D3BF8233846D
   Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
   Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

5. To delete a CA file in memory, use del ssl ca-file.

   $ echo -e "del ssl ca-file /etc/hapee-2.7/intermediate-ca.crt" | \
      sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

   CA file '/etc/hapee-2.7/intermediate-ca.crt' deleted!

Verify server certificates

To use CA files to verify server certificates, specify the CA file using the ca-file parameter in the backend server or default-server directive.

backend web_servers
   mode http
   server s1 192.168.1.25:80 ssl verify required ca-file /etc/hapee-2.7/server-trusted-ca.crt
   server s2 192.168.1.26:80 ssl verify required ca-file /etc/hapee-2.7/server-trusted-ca.crt
   server s3 192.168.1.27:80 ssl verify required ca-file /etc/hapee-2.7/server-trusted-ca.crt