On 9/28/2016 9:13 AM, robert johnson wrote: > I tried searching the mailing list with no luck. Any way, here is my > question: > > Why does haproxy require the private key in the PEM file when > terminating SSL? > > Other web servers only require the cert....
As Andrew mentioned, all SSL server products require the private key in order to do TLS/SSL. For correct validation on the client side, servers must also include intermediate certificates in the client/server negotiation. Some programs have separate config options for keyfiles and intermediate certs, some don't. I think haproxy only has one config file option (crt), so in that case, everything must be in the one config file. Because it makes configuration tracking easier, I personally use combined cert/key files for Apache too -- I just leave out the extra config options and only inform it about the Cert file. Apache can figure out that what it needs is contained there. Maintaining tight permissions on any file containing a key (or the passphrase for a key) is a good idea. Thanks, Shawn
