Reference

commit ssl ca-file

On this page

Available since

  • HAProxy 2.5
  • HAProxy Enterprise 2.5r1

Commit a temporary SSL CA file update transaction.

Description Jump to heading

Commit a temporary SSL CA file update transaction. Changes made to a CA file using set ssl ca-file (and as of version 2.7r1, add ssl ca-file) exist in a temporary transaction until committed using commit ssl ca-file. Alternatively, they can be aborted with abort ssl ca-file.

When committing to an existing CA file (one marked “Used” in show ssl ca-file output), the new certificates are integrated with the existing certificates in runtime memory. Once the temporary transaction is committed, it is destroyed.

When committing to a new CA file (one just created with the new ssl ca-file command and which would subsequently be marked “Unused” in show ssl ca-file output), the CA file will be inserted into memory but it won’t be used anywhere in the load balancer.

To use it and generate SSL contexts that use it, you will need to add it to a crt-list with add ssl crt-list.

This operation changes only the CA list in memory. To make the changes permanent, also make the changes to the CA file on disk.

Examples Jump to heading

Reset cafile.pem with the certificates from rootCA.crt. Then commit the transaction.

nix
echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo -e "set ssl ca-file cafile.pem <<\n$(cat rootCA.crt)\n" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "commit ssl ca-file cafile.pem" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "commit ssl ca-file cafile.pem" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999

Example workflow Jump to heading

This operation is generally performed as part of a series of transactions used to manage CA files. You can manage CA files for different domains by passing them to the add ssl crt-list command.

The example in this section demonstrates how to upload a new CA file and attach it to the load balancer’s running configuration.

Verify client certificates Jump to heading

The simplest way to configure an application to use a CA file for verifying client certificates is to specify the CA file or directory in the frontend configuration.

  • Declare the CA file or directory in the frontend bind directive using the ca-file or ca-verify-file parameter. The argument passed to the ca-file parameter can be a specific CA file or a directory containing CA files. The file or directory must already exist.

    haproxy
    frontend fe_main
      mode http
      bind :80
      bind :443 ssl crt /etc/hapee-3.0/ssl.pem alpn h2 verify required ca-file /etc/hapee-3.0/intermediate-ca.crt ca-verify-file /etc/hapee-3.0/root-ca.crt
      http-request redirect scheme https unless { ssl_fc }
      default_backend servers
    haproxy
    frontend fe_main
      mode http
      bind :80
      bind :443 ssl crt /etc/hapee-3.0/ssl.pem alpn h2 verify required ca-file /etc/hapee-3.0/intermediate-ca.crt ca-verify-file /etc/hapee-3.0/root-ca.crt
      http-request redirect scheme https unless { ssl_fc }
      default_backend servers

Use the Runtime API to update a CA file Jump to heading

There are Runtime API commands for modifying CA file contents during runtime.

You can:

  • replace the contents of a CA file entirely using the set ssl ca-file command
  • add certificates to the existing content using the add ssl ca-file command
  • remove the contents of a CA file in memory using del ssl ca-file

These commands initiate a transaction, and the modifications are not in effect until the transaction is committed with the commit ssl ca-file command. Alternatively, you can abandon the changes with the abort ssl ca-file command.

Changes made to the runtime CA file exist only in the memory of the running proxy process and are not reflected in the CA file on disk. If you need CA changes to be persisted beyond the current proxy session, you must modify the CA file on disk.

To modify the runtime CA file, follow these steps.

  1. To replace the CA file contents with new certificates, use the set ssl ca-file command.

    nix
    echo -e "set ssl ca-file /etc/hapee-3.0/intermediate-ca.crt <<\n$(cat ./new_certificate.pem)\n" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo -e "set ssl ca-file /etc/hapee-3.0/intermediate-ca.crt <<\n$(cat ./new_certificate.pem)\n" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    text
    transaction created for CA /etc/hapee-3.0/intermediate-ca.crt! 
    output
    text
    transaction created for CA /etc/hapee-3.0/intermediate-ca.crt!

  2. To add an entry to a CA file, use the add ssl ca-file command.

    nix
    echo -e "add ssl ca-file /etc/hapee-3.0/intermediate-ca.crt <<\n(cat ./new_certificate2.pem)\n" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo -e "add ssl ca-file /etc/hapee-3.0/intermediate-ca.crt <<\n(cat ./new_certificate2.pem)\n" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    text
    transaction updated for CA /etc/hapee-3.0/intermediate-ca.crt!
    output
    text
    transaction updated for CA /etc/hapee-3.0/intermediate-ca.crt!

  3. Updates to the CA file in memory do not take effect until the transaction is committed. Commit the transaction:

    nix
    echo -e "commit ssl ca-file /etc/hapee-3.0/intermediate-ca.crt" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo -e "commit ssl ca-file /etc/hapee-3.0/intermediate-ca.crt" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    text
    Committing /etc/hapee-3.0/intermediate-ca.crt
    Success!
    output
    text
    Committing /etc/hapee-3.0/intermediate-ca.crt
    Success!

  4. Use show ssl ca-file to verify that the CA file was updated correctly:

    nix
    echo "show ssl ca-file /etc/hapee-3.0/intermediate-ca.crt" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo "show ssl ca-file /etc/hapee-3.0/intermediate-ca.crt" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    text
    Filename: /etc/hapee-3.0/intermediate-ca.crt
    Status: Unused
    Certificate #1:
    Serial: 03BB662E4A45FE7E576F3C22195ADDC0
    notBefore: Nov  9 00:00:00 1994 GMT
    notAfter: Jan  7 23:59:59 2010 GMT
    Subject Alternative Name:
    Algorithm: RSA1000
    SHA1 FingerPrint: 4463A531B4BCA1004794612BC646D3BF8233846F
    Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    Certificate #2:
    Serial: 04BB662E4A45FE7E576F3C22195AEDC0
    notBefore: Nov  9 00:00:00 1994 GMT
    notAfter: Jan  7 23:59:59 2010 GMT
    Subject Alternative Name:
    Algorithm: RSA1000
    SHA1 FingerPrint: 2463A531B4BCA1004794212BC646D3BF8233846D
    Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    output
    text
    Filename: /etc/hapee-3.0/intermediate-ca.crt
    Status: Unused
    Certificate #1:
    Serial: 03BB662E4A45FE7E576F3C22195ADDC0
    notBefore: Nov  9 00:00:00 1994 GMT
    notAfter: Jan  7 23:59:59 2010 GMT
    Subject Alternative Name:
    Algorithm: RSA1000
    SHA1 FingerPrint: 4463A531B4BCA1004794612BC646D3BF8233846F
    Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    Certificate #2:
    Serial: 04BB662E4A45FE7E576F3C22195AEDC0
    notBefore: Nov  9 00:00:00 1994 GMT
    notAfter: Jan  7 23:59:59 2010 GMT
    Subject Alternative Name:
    Algorithm: RSA1000
    SHA1 FingerPrint: 2463A531B4BCA1004794212BC646D3BF8233846D
    Subject: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
    Issuer: /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority

  5. To delete a CA file in memory, use del ssl ca-file.

    nix
    echo -e "del ssl ca-file /etc/hapee-3.0/intermediate-ca.crt" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    nix
    echo -e "del ssl ca-file /etc/hapee-3.0/intermediate-ca.crt" | \
      sudo socat stdio tcp4-connect:127.0.0.1:9999
    output
    text
    CA file '/etc/hapee-3.0/intermediate-ca.crt' deleted!
    output
    text
    CA file '/etc/hapee-3.0/intermediate-ca.crt' deleted!

Verify server certificates Jump to heading

To use CA files to verify server certificates, specify the CA file using the ca-file parameter in the backend server or default-server directive.

The server directive must also specify:

  • the ssl parameter to enable HTTPS communication

  • the verify required parameter to verify the server SSL certificate against the CA’s provided in the CA file

    haproxy
    backend web_servers
      mode http
      server s1 192.168.1.25:80 ssl verify required ca-file /etc/hapee-3.0/server-trusted-ca.crt
      server s2 192.168.1.26:80 ssl verify required ca-file /etc/hapee-3.0/server-trusted-ca.crt
      server s3 192.168.1.27:80 ssl verify required ca-file /etc/hapee-3.0/server-trusted-ca.crt
    haproxy
    backend web_servers
      mode http
      server s1 192.168.1.25:80 ssl verify required ca-file /etc/hapee-3.0/server-trusted-ca.crt
      server s2 192.168.1.26:80 ssl verify required ca-file /etc/hapee-3.0/server-trusted-ca.crt
      server s3 192.168.1.27:80 ssl verify required ca-file /etc/hapee-3.0/server-trusted-ca.crt

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page commit map Next page commit ssl cert
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences