Reference

show ssl crt-list

On this page

Available since

  • HAProxy 2.2
  • HAProxy Enterprise 2.2r1

Display the contents of an SSL CRT list.

Description Jump to heading

CRT lists are text files that describe the SSL certificates used by the load balancer. When dynamically creating and manipulating certificates, this command is used to verify the contents of an SSL CRT list.

Examples Jump to heading

In this example, the entries in the CRT list file /etc/hapee-3.0/certificate-list.txt are displayed.

nix
echo "show ssl crt-list /etc/hapee-3.0/certificate-list.txt" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
nix
echo "show ssl crt-list /etc/hapee-3.0/certificate-list.txt" | \
  sudo socat stdio tcp4-connect:127.0.0.1:9999
output
text
/etc/hapee-3.0/certs/site.pem
/etc/hapee-3.0/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
/etc/hapee-3.0/certs/new_certificate.pem [alpn h2] mysite.local
output
text
/etc/hapee-3.0/certs/site.pem
/etc/hapee-3.0/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
/etc/hapee-3.0/certs/new_certificate.pem [alpn h2] mysite.local

Example workflow Jump to heading

This operation is generally performed as part of a series of transactions. An example is outlined below. This example demonstrates how to upload a new certificate, attach it to the load balancer’s running configuration, and store it in a CRT list with cipher and SNI parameters. An optional delete command is included at the end.

  1. Add a CRT list to your HAProxy Enterprise configuration file on a bind line:

    haproxy
    frontend fe_main
      mode http
      bind :80
      bind :443 ssl crt-list /etc/hapee-3.0/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.
      http-request redirect scheme https unless { ssl_fc }
      default_backend servers
    haproxy
    frontend fe_main
      mode http
      bind :80
      bind :443 ssl crt-list /etc/hapee-3.0/certificate-list.txt ## This file must exist and contain at least one certificate, self-signed, if need be.
      http-request redirect scheme https unless { ssl_fc }
      default_backend servers

  2. Use the new ssl cert command to create an empty slot for a certificate in HAProxy’s memory.

    nix
    echo -e "new ssl cert /etc/hapee-3.0/certs/new_certificate.pem" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    nix
    echo -e "new ssl cert /etc/hapee-3.0/certs/new_certificate.pem" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    output
    text
    New empty certificate store '/etc/hapee-3.0/certs/new_certificate.pem'!
    output
    text
    New empty certificate store '/etc/hapee-3.0/certs/new_certificate.pem'!

  3. Begin a transaction to upload the certificate into that slot by using the set ssl cert command.

    The new certificate should be in your local working directory.

    nix
    echo -e "set ssl cert /etc/hapee-3.0/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    nix
    echo -e "set ssl cert /etc/hapee-3.0/certs/new_certificate.pem <<\n$(cat ./new_certificate.pem)\n" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    output
    text
    Transaction created for certificate /etc/hapee-3.0/certs/new_certificate.pem!
    output
    text
    Transaction created for certificate /etc/hapee-3.0/certs/new_certificate.pem!

  4. Commit the transaction:

    nix
    echo -e "commit ssl cert /etc/hapee-3.0/certs/new_certificate.pem" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    nix
    echo -e "commit ssl cert /etc/hapee-3.0/certs/new_certificate.pem" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    output
    text
    Committing /etc/hapee-3.0/certs/new_certificate.pem
    Success!
    output
    text
    Committing /etc/hapee-3.0/certs/new_certificate.pem
    Success!

  5. Add a line to the CRT list, to add the certificate, cipher suite, and SNI options:

    nix
    echo -e "add ssl crt-list /etc/hapee-3.0/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    nix
    echo -e "add ssl crt-list /etc/hapee-3.0/certificate-list.txt <<\n/etc//haproxy/certs/new_certificate.pem [alpn h2] mysite.local\n" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    output
    text
    Inserting certificate '/etc/hapee-3.0/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.
    Success!
    output
    text
    Inserting certificate '/etc/hapee-3.0/certs/new_certificate.pem' in crt-list '/etc//haproxy/certificate-list.txt'.
    Success!

  6. Use show ssl crt-list to verify that the CRT list was updated correctly:

    nix
    echo "show ssl crt-list /etc/hapee-3.0/certificate-list.txt" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    nix
    echo "show ssl crt-list /etc/hapee-3.0/certificate-list.txt" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    output
    text
    # /etc//haproxy/certificate-list.txt
    /etc/hapee-3.0/certs/site.pem
    /etc/hapee-3.0/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
    /etc/hapee-3.0/certs/new_certificate.pem [alpn h2] mysite.local
    output
    text
    # /etc//haproxy/certificate-list.txt
    /etc/hapee-3.0/certs/site.pem
    /etc/hapee-3.0/certs/test.local.pem [alpn h2 ssl-min-ver TLSv1.2] test.local
    /etc/hapee-3.0/certs/new_certificate.pem [alpn h2] mysite.local

  7. When needed, use del ssl crt-list to delete an entry from the CRT list in memory:

    nix
    echo -e "del ssl crt-list /etc/hapee-3.0/certificate-list.txt /etc/hapee-3.0/new_certificate.pem" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    nix
    echo -e "del ssl crt-list /etc/hapee-3.0/certificate-list.txt /etc/hapee-3.0/new_certificate.pem" | \
      sudo socat stdio unix-connect:/var/run/hapee-3.0/hapee-lb.sock
    output
    text
    Entry '/etc/hapee-3.0/new_certificate.pem' deleted in crtlist '/etc/hapee-3.0/certificate-list.txt'!
    output
    text
    Entry '/etc/hapee-3.0/new_certificate.pem' deleted in crtlist '/etc/hapee-3.0/certificate-list.txt'!

    Info

    This operation deletes the certificate only from the CRT list in memory. To make the deletion permanent, also delete the certificate from the CRT list file on disk. Then delete the certificate file.

See also Jump to heading

Do you have any suggestions on how we can improve the content of this page?

Previous page show ssl crl-file Next page show ssl ocsp-response
© 2024 HAProxy Technologies, LLC. All Rights Reserved
Manage Cookie Preferences