Can you explain what the overall goal is? I suspect that even if you could dynamically generate new certificates on the fly, the overhead to do so would be prohibitively expensive.
If you are attempting to do this for security, it's probably worth pointing out that it is insanely easy to configure HAProxy to use only strong ciphers that support perfect forward secrecy. Put simply, it negotiates a new and unique 'session key' (called an ephemeral key) between the client and server on each new session. If you are attempting to do this for another reason, maybe you could describe the end goal. Almost certainly there is a more scalable option than dynamically generating new certificates as described. On Sep 4, 2015 5:34 PM, "Michael Rennecke" <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hallo, > > is it possible with HAProxy to generate a certificate for each > incoming hostname on the fly? I will use subca for HAProxy. I think to > generate the certificates on the fly is cooler, then a certificate for > each hostname. > > I found possibilities to generate the certificate, but this doesn't > work :-( > > bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt > /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file > /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody > generate-certificates > > ecc_subca.pem included the the subca and the key. The key has no pass > phrase. I will balance some other (fun) TLDs with haproxy - my small > home automation project > > Cheers, > Michael > > > - -- > Mein aktuelles Projekt: > https://0rph3us.github.io/ > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.22 (GNU/Linux) > > iQIcBAEBAgAGBQJV6g3/AAoJEGF+uAbudcb+Y3EP/29hfN4PFB6cyHFP8hpim/Cf > 0HT5O0/6HQXeYjTrHZVJKdsjy+HuXTPsvrgzoLvQMW/XYS1VaPKqeraoPP1Hs/RN > kXRCJLI6OFpg3XdSuA/XOoZEzlqak73zkJyKKIL+zJjiJwvvlcV77zH7sITxWdqb > NAGop15BzphwaFtQuKP/HNkEAX7J/309L4Z0vwx1nBPhxzpo9VEoz1JnCdON58lN > mr1r61YhLc/xl/my4QnNXqE7HTi+BNmy5uadjFetgMnqZCaE+h3lfp6+6pi2a7tn > tZht4/N0OYiplhYyhvCXLWXLuK5WpO/Q1JlG8jFvDgKrupvqj2IHMnaBAMB+GWL/ > cwDYDpWyJO2WuDVgFtHGC8Rp2qJRZRxtG9CsIxBohjwOrni2v88W8lb5V8ky+wfw > ZQ6DHTVFF55ciY/Jh0KjbhS0RC8aSeFgXRMhbGlTCV+n5eo4EvJnQQxRBHE87NsM > Ok2fWyyVEAfsTTq9ZIQWjWe34t9Bs67ZojNdINzvy6D2guERfGqzUmrZn+K6TPVc > 17eRJ6ycLMi8NwoH68JygZ8NmszF4y3vb9fSTvhfLTOqpmZBgLKyENbxKcKIciez > 6nJEeR/y1tCfJkIb3IJkSpXcQuwDux7+18k2QvkW48NG+Vl9FbmDECko2ad/iTcG > MH5Jc/xPNumL5YvwEkB1 > =LOI3 > -----END PGP SIGNATURE----- > >
