Reference
new ssl cert
Available since
- HAProxy 2.2
- HAProxy Enterprise 2.2r1
Add a new, empty SSL certificate store.
Description Jump to heading
Use the new ssl cert
command to create an empty slot for a certificate in the load balancer’s memory.
Examples Jump to heading
nix
echo -e "new ssl cert /etc/hapee-2.9/certs/new_certificate.pem" | \sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo -e "new ssl cert /etc/hapee-2.9/certs/new_certificate.pem" | \sudo socat stdio tcp4-connect:127.0.0.1:9999
outputtext
New empty certificate store '/etc/hapee-2.9/certs/new_certificate.pem'!
outputtext
New empty certificate store '/etc/hapee-2.9/certs/new_certificate.pem'!
Example workflow Jump to heading
This operation is generally performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to the load balancer’s running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.
-
Add a CRT list to your HAProxy Enterprise configuration file on a
bind
line:haproxyfrontend fe_mainmode httpbind :80bind :443 ssl crt-list /etc/hapee-2.9/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.http-request redirect scheme https unless { ssl_fc }default_backend servershaproxyfrontend fe_mainmode httpbind :80bind :443 ssl crt-list /etc/hapee-2.9/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.http-request redirect scheme https unless { ssl_fc }default_backend servers -
Use the
new ssl cert
command to create an empty slot for a certificate in HAProxy’s memory.nixecho -e "new ssl cert /etc/hapee-2.9/certs/new_certificate.pem" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.socknixecho -e "new ssl cert /etc/hapee-2.9/certs/new_certificate.pem" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.sockoutputtextNew empty certificate store '/etc/hapee-2.9/certs/new_certificate.pem'!outputtextNew empty certificate store '/etc/hapee-2.9/certs/new_certificate.pem'! -
Begin a transaction to upload the certificate into that slot by using the
set ssl cert
command.The new certificate should be in your local working directory.
nixecho -e "set ssl cert /etc/hapee-2.9/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.socknixecho -e "set ssl cert /etc/hapee-2.9/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.sockoutputtextTransaction created for certificate /etc/hapee-2.9/certs/new_certificate.pem!outputtextTransaction created for certificate /etc/hapee-2.9/certs/new_certificate.pem! -
Commit the transaction:
nixecho -e "commit ssl cert /etc/hapee-2.9/certs/new_certificate.pem" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.socknixecho -e "commit ssl cert /etc/hapee-2.9/certs/new_certificate.pem" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.sockoutputtextCommitting /etc/hapee-2.9/certs/new_certificate.pemSuccess!outputtextCommitting /etc/hapee-2.9/certs/new_certificate.pemSuccess! -
Add a line to the CRT list, to add the certificate, cipher suite, and SNI options:
nixecho -e "add ssl crt-list /etc/hapee-2.9/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.socknixecho -e "add ssl crt-list /etc/hapee-2.9/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.sockoutputtextInserting certificate '/etc/hapee-2.9/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.Success!outputtextInserting certificate '/etc/hapee-2.9/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.Success! -
Use
show ssl crt-list
to verify that the CRT list was updated correctly:nixecho "show ssl crt-list /etc/hapee-2.9/certificate-list.txt" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.socknixecho "show ssl crt-list /etc/hapee-2.9/certificate-list.txt" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.sockoutputtext# /etc//haproxy/certificate-list.txt/etc/hapee-2.9/certs/site.pem/etc/hapee-2.9/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local/etc/hapee-2.9/certs/new_certificate.pem [alpn h2] mysite.localoutputtext# /etc//haproxy/certificate-list.txt/etc/hapee-2.9/certs/site.pem/etc/hapee-2.9/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local/etc/hapee-2.9/certs/new_certificate.pem [alpn h2] mysite.local -
When needed, use
del ssl crt-list
to delete an entry from the CRT list in memory:nixecho -e "del ssl crt-list /etc/hapee-2.9/certificate-list.txt /etc/hapee-2.9/new_certificate.pem" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.socknixecho -e "del ssl crt-list /etc/hapee-2.9/certificate-list.txt /etc/hapee-2.9/new_certificate.pem" | \sudo socat stdio unix-connect:/var/run/hapee-2.9/hapee-lb.sockoutputtextEntry '/etc/hapee-2.9/new_certificate.pem' deleted in crtlist '/etc/hapee-2.9/certificate-list.txt'!outputtextEntry '/etc/hapee-2.9/new_certificate.pem' deleted in crtlist '/etc/hapee-2.9/certificate-list.txt'!Info
This operation deletes the certificate only from the CRT list in memory. To make the deletion permanent, also delete the certificate from the CRT list file on disk. Then delete the certificate file.
See also Jump to heading
Do you have any suggestions on how we can improve the content of this page?