new ssl cert

Add a new, empty SSL certificate store.

Description Jump to heading #

Use the new ssl cert command to create an empty slot for a certificate in the load balancer’s memory.

Examples Jump to heading #

nix
echo -e "new ssl cert /etc/hapee-3.1/certs/new_certificate.pem" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

nix
echo -e "new ssl cert /etc/hapee-3.1/certs/new_certificate.pem" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

output
text
New empty certificate store '/etc/hapee-3.1/certs/new_certificate.pem'!

output
text
New empty certificate store '/etc/hapee-3.1/certs/new_certificate.pem'!

Example workflow Jump to heading #

This operation is generally performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to the load balancer’s running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.

1. Add a CRT list to your HAProxy Enterprise configuration file on a bind line:

   haproxy
   frontend fe_main
     mode http
     bind :80
     bind :443 ssl crt-list /etc/hapee-3.1/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.
     http-request redirect scheme https unless { ssl_fc }
     default_backend servers

   haproxy
   frontend fe_main
     mode http
     bind :80
     bind :443 ssl crt-list /etc/hapee-3.1/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.
     http-request redirect scheme https unless { ssl_fc }
     default_backend servers

2. Use the new ssl cert command to create an empty slot for a certificate in HAProxy’s memory.

   nix
   echo -e "new ssl cert /etc/hapee-3.1/certs/new_certificate.pem" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   nix
   echo -e "new ssl cert /etc/hapee-3.1/certs/new_certificate.pem" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   output
   text
   New empty certificate store '/etc/hapee-3.1/certs/new_certificate.pem'!

   output
   text
   New empty certificate store '/etc/hapee-3.1/certs/new_certificate.pem'!

3. Begin a transaction to upload the certificate into that slot by using the set ssl cert command.

   The new certificate should be in your local working directory.

   nix
   echo -e "set ssl cert /etc/hapee-3.1/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   nix
   echo -e "set ssl cert /etc/hapee-3.1/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   output
   text
   Transaction created for certificate /etc/hapee-3.1/certs/new_certificate.pem!

   output
   text
   Transaction created for certificate /etc/hapee-3.1/certs/new_certificate.pem!

4. Commit the transaction:

   nix
   echo -e "commit ssl cert /etc/hapee-3.1/certs/new_certificate.pem" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   nix
   echo -e "commit ssl cert /etc/hapee-3.1/certs/new_certificate.pem" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   output
   text
   Committing /etc/hapee-3.1/certs/new_certificate.pem
   Success!

   output
   text
   Committing /etc/hapee-3.1/certs/new_certificate.pem
   Success!

5. Add a line to the CRT list, to add the certificate, cipher suite, and SNI options:

   nix
   echo -e "add ssl crt-list /etc/hapee-3.1/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   nix
   echo -e "add ssl crt-list /etc/hapee-3.1/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   output
   text
   Inserting certificate '/etc/hapee-3.1/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.
   Success!

   output
   text
   Inserting certificate '/etc/hapee-3.1/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.
   Success!

6. Use show ssl crt-list to verify that the CRT list was updated correctly:

   nix
   echo "show ssl crt-list /etc/hapee-3.1/certificate-list.txt" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   nix
   echo "show ssl crt-list /etc/hapee-3.1/certificate-list.txt" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   output
   text
   # /etc//haproxy/certificate-list.txt
   /etc/hapee-3.1/certs/site.pem
   /etc/hapee-3.1/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
   /etc/hapee-3.1/certs/new_certificate.pem [alpn h2] mysite.local

   output
   text
   # /etc//haproxy/certificate-list.txt
   /etc/hapee-3.1/certs/site.pem
   /etc/hapee-3.1/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
   /etc/hapee-3.1/certs/new_certificate.pem [alpn h2] mysite.local

7. When needed, use del ssl crt-list to delete an entry from the CRT list in memory:

   nix
   echo -e "del ssl crt-list /etc/hapee-3.1/certificate-list.txt /etc/hapee-3.1/new_certificate.pem" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   nix
   echo -e "del ssl crt-list /etc/hapee-3.1/certificate-list.txt /etc/hapee-3.1/new_certificate.pem" | \
     sudo socat stdio unix-connect:/var/run/hapee-3.1/hapee-lb.sock

   output
   text
   Entry '/etc/hapee-3.1/new_certificate.pem' deleted in crtlist '/etc/hapee-3.1/certificate-list.txt'!

   output
   text
   Entry '/etc/hapee-3.1/new_certificate.pem' deleted in crtlist '/etc/hapee-3.1/certificate-list.txt'!

   Info

   This operation deletes the certificate only from the CRT list in memory. To make the deletion permanent, also delete the certificate from the CRT list file on disk. Then delete the certificate file.

See also Jump to heading #

• commit ssl cert
• del ssl cert
• set ssl cert
• show ssl crt list