-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I will build home automation project (seafile, temperature sensor, open vpn, perintserver, ...). All SSL connections are terminated on a HAProxy. If you use multiple domains. For example a dyndns domain for the intern stuff, a domain for the blog, a domain inside the house. OpenVPN comes with a cool tool easy RSA. It is easy to build a CA with SubCA and generate certificates. It is possible to generate the certificates for all domain.
Actual, I use SNI and a pre generated certificate. A buddy mentioned (he work on the same project), that a SubCA and the certificate generation is cooler. We will use elliptic curves for the CA. All our clients can handle elliptic curves certificates. best, Michael On 05.09.2015 04:16, Jeff Palmer wrote: > Can you explain what the overall goal is? I suspect that even if > you could dynamically generate new certificates on the fly, the > overhead to do so would be prohibitively expensive. > > If you are attempting to do this for security, it's probably worth > pointing out that it is insanely easy to configure HAProxy to use > only strong ciphers that support perfect forward secrecy. Put > simply, it negotiates a new and unique 'session key' (called an > ephemeral key) between the client and server on each new session. > > If you are attempting to do this for another reason, maybe you > could describe the end goal. Almost certainly there is a more > scalable option than dynamically generating new certificates as > described. > > On Sep 4, 2015 5:34 PM, "Michael Rennecke" > <michael.renne...@gmail.com <mailto:michael.renne...@gmail.com>> > wrote: > > Hallo, > > is it possible with HAProxy to generate a certificate for each > incoming hostname on the fly? I will use subca for HAProxy. I think > to generate the certificates on the fly is cooler, then a > certificate for each hostname. > > I found possibilities to generate the certificate, but this > doesn't work :-( > > bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt > /etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file > /etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody > generate-certificates > > ecc_subca.pem included the the subca and the key. The key has no > pass phrase. I will balance some other (fun) TLDs with haproxy - my > small home automation project > > Cheers, Michael > > > - -- Mein aktuelles Projekt: https://0rph3us.github.io/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQIcBAEBAgAGBQJV7eFqAAoJEGF+uAbudcb+fFYQAOx6vcOlggqQbwbiHk+LEBZO scXxNpWXHxNc3ygeDT/SwYLNLJyqXZ4917oudv0Sa+lPERtwZoBB+ucJbFB6kb03 VZbEJEHU/ue9vvDlebxg/RyGIVTZhw5VQo0ipBYhYmCMluyxZavP8n+sRLBfTCvW oAWJvchOevDa0dJMydQoE4vf7p2zXXcrxIqfxqDvgje37gfm5S+r+yaYRz9fcJr7 CVbp+Lf1CnAeFSQyB5vxaqwTBbHlzd6Agbqu3j0b7VcxHds94JwenAh5U7DHiOK4 EH/wGEMJLHdtGqjQTKUs8w6ouP32GVoD2X3CiZ/BsBYK1jGVrDyuusj9zxypHcJ9 wMG/w9FaCLjKPFRikTQN5szS8ifc3CSCH6kRZx1kaTmE4Q7t+nuNMPZuicUDXvHN cLybl/ZOKU25R5ZSTcvQR4nlKbCQP0biSXq1I3odPdQ20TrRk8bWmFQXTHW5e1t+ JL0nSxF58JaJOLgwoZcdeBpKSWzGVqZ3JcH0SkWzVd9gg+RLAYcFv24filPnpmAA X3pXAEE03t6fqwWxl1CaAMwyYrmUPbqqUQwuh4OFR1+hb7TqoPiMvsctWg8HtETH HwaOOxDPhtoqSlscZrugejUvxzWNr6djrHh1gacYR8mAmYwfZaLYmUnHIaBtgJ73 c3yGQGoMS8DprAqPRZ8+ =bInf -----END PGP SIGNATURE-----