Hi. I would like to configure HAProxy to allow multiple CRL's.
First, for testing I created my own CA. I created a server cert and signed it. I created a client cert and signed it. I created a CRL.
I setup HAProxy like:
bind *:443 ssl crt server.crt ca-file my_ca.crt crl-file my_ca.crl
That worked fine. The ssl connection prompted me for a cert signed by the CA present in the ca.crt file. I could give it a valid cert, an expired cert and a revoked cert and they all worked as expected.
Then I tried integrating with an external CA for which I have a valid client cert, the CA cert and the CA CRL. I concatenated the CA certs to a combined.crt file. Then I concatenated the CRL files to a combined.crl file even though I have read posts that say that invalidates the CRL. There are other posts that say that should work.
My HAProxy config is now:
bind *:443 ssl crt server.crt ca-file combined.crt crl-file combined.crl
The interface will accept a client cert signed by my own CA. If I don't specify a CRL it will also accept a client cert signed by the external CA. But, if I specify the crl-file, it will not accept the client cert from the external CA.
I tried using just the external CA cert and the external CRL:
bind *:443 ssl crt server.crt ca-file external.crt crl-file external.crl
That will not work either. The error in both cases is "SSL client CA chain cannot be verified" But I only get that if I specify the crl-file. I
Any help is appreciated! Thanks.
Mike
First, for testing I created my own CA. I created a server cert and signed it. I created a client cert and signed it. I created a CRL.
I setup HAProxy like:
bind *:443 ssl crt server.crt ca-file my_ca.crt crl-file my_ca.crl
That worked fine. The ssl connection prompted me for a cert signed by the CA present in the ca.crt file. I could give it a valid cert, an expired cert and a revoked cert and they all worked as expected.
Then I tried integrating with an external CA for which I have a valid client cert, the CA cert and the CA CRL. I concatenated the CA certs to a combined.crt file. Then I concatenated the CRL files to a combined.crl file even though I have read posts that say that invalidates the CRL. There are other posts that say that should work.
My HAProxy config is now:
bind *:443 ssl crt server.crt ca-file combined.crt crl-file combined.crl
The interface will accept a client cert signed by my own CA. If I don't specify a CRL it will also accept a client cert signed by the external CA. But, if I specify the crl-file, it will not accept the client cert from the external CA.
I tried using just the external CA cert and the external CRL:
bind *:443 ssl crt server.crt ca-file external.crt crl-file external.crl
That will not work either. The error in both cases is "SSL client CA chain cannot be verified" But I only get that if I specify the crl-file. I
Any help is appreciated! Thanks.
Mike