HAProxy Enterprise Documentation 2.7r1

set ssl ca-file

Reset an SSL CA file with new certificates.

Description

Reset an SSL CA file with new certificates. The command creates a new runtime CA file into which the certificates contained in the payload are stored.

The CA file is kept in a temporary transaction until the transaction is committed with commit ssl ca-file, at which time it is stored in runtime memory. If a transaction with the same filename already exists, the previous CA file entry is deleted and replaced by the new one.

Use the add ssl crt-list command to add the CA file to a cert list in memory.

Optionally, you can use abort ssl ca-file to abort the transaction.

If you want to add multiple certificates separately, use the add ssl ca-file command. Unlike set ssl ca-file, the add ssl ca-file command does not reset (clear) the CA file before adding certificates.

Changes to the certificates and crt-list made using the Runtime API are in memory only and not written to disk. They will therefore be lost when the proxy stops.

Examples

Reset cafile.pem with the certificates from rootCA.crt. Then commit the transaction.

$ echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

$ echo "commit ssl ca-file cafile.pem" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock

Contextual Example

This operation is generally performed as part of a series of transactions used to manage CA files. You can manage CA files for different domains by passing them to the add ssl crt-list command.

The example in this section demonstrates how to upload a new CA file and attach it to HAProxy Enterprise's running configuration.

Verify client certificates

The simplest way to configure an application to use a CA file for verifying client certificates is to specify the CA file or directory in the frontend configuration.

  • Declare the CA file or directory in the frontend bind directive using the ca-file or ca-verify-file parameter. The argument passed to the ca-file parameter can be a specific CA file or a directory containing CA files. The file or directory must already exist.

    frontend fe_main
   mode http
   bind :80
   bind :443 ssl crt /etc/hapee-2.7/ssl.pem alpn h2 verify required ca-file /etc/hapee-2.7/intermediate-ca.crt ca-verify-file /etc/hapee-2.7/root-ca.crt
   http-request redirect scheme https unless { ssl_fc }
   default_backend servers

Use the Runtime API to update a CA file

There are Runtime API commands for modifying CA file contents during runtime.

You can:

  • replace the contents of a CA file entirely using the set ssl ca-file command

  • add certificates to the existing content using the add ssl ca-file command

  • remove the contents of a CA file in memory using del ssl ca-file

To modify the runtime CA file, follow these steps.

  1. To replace the CA file contents with new certificates, use the set ssl ca-file command.

    $ echo -e "set ssl ca-file /etc/hapee-2.7/intermediate-ca.crt <<\n$(cat ./new_certificate.pem)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock
    transaction created for CA /etc/hapee-2.7/intermediate-ca.crt!

  2. To add an entry to a CA file, use the add ssl ca-file command.

    $ echo -e "add ssl ca-file /etc/hapee-2.7/intermediate-ca.crt <<\n(cat ./new_certificate2.pem)\n" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock
    transaction updated for CA /etc/hapee-2.7/intermediate-ca.crt!

  3. Updates to the CA file in memory do not take effect until the transaction is committed. Commit the transaction:

    $ echo -e "commit ssl ca-file /etc/hapee-2.7/intermediate-ca.crt" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock
    Committing /etc/hapee-2.7/intermediate-ca.crt
Success!

  4. Use show ssl ca-file to verify that the CA file was updated correctly:

    $ echo "show ssl ca-file /etc/hapee-2.7/intermediate-ca.crt" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock
    Filename: /etc/hapee-2.7/intermediate-ca.crt
Status: Unused

Certificate #1:
Serial: 03BB662E4A45FE7E576F3C22195ADDC0
notBefore: Nov  9 00:00:00 1994 GMT
notAfter: Jan  7 23:59:59 2010 GMT
Subject Alternative Name:
Algorithm: RSA1000
SHA1 FingerPrint: 4463A531B4BCA1004794612BC646D3BF8233846F
Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

Certificate #2:
Serial: 04BB662E4A45FE7E576F3C22195AEDC0
notBefore: Nov  9 00:00:00 1994 GMT
notAfter: Jan  7 23:59:59 2010 GMT
Subject Alternative Name:
Algorithm: RSA1000
SHA1 FingerPrint: 2463A531B4BCA1004794212BC646D3BF8233846D
Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

  5. To delete a CA file in memory, use del ssl ca-file.

    $ echo -e "del ssl ca-file /etc/hapee-2.7/intermediate-ca.crt" | \
   sudo socat stdio unix-connect:/var/run/hapee-2.7/hapee-lb.sock
    CA file '/etc/hapee-2.7/intermediate-ca.crt' deleted!

Verify server certificates

To use CA files to verify server certificates, specify the CA file using the ca-file parameter in the backend server or default-server directive.

backend web_servers
   mode http
   server s1 192.168.1.25:80 ssl verify required ca-file /etc/hapee-2.7/server-trusted-ca.crt
   server s2 192.168.1.26:80 ssl verify required ca-file /etc/hapee-2.7/server-trusted-ca.crt
   server s3 192.168.1.27:80 ssl verify required ca-file /etc/hapee-2.7/server-trusted-ca.crt

See also

Next up

set ssl cert