I have for projet to write a dynamic update of the SSL certificates. I
encountered some cases where haproxy deals with many websites, and it
should ne great if we can replace / add certificate without restarting
I'm looking for some opinions or advices.
I need to:
- list the currently loaded certificates ID (embedding ECDSA).
- add or replace certificates embedding the 3 certificates version
RSA/DSA/ECDSA and the sni filter.
- Delete SNI entries (and the certificates if it is the last one)
For the listing of the certificate, I need to scan the content of the
OpenSSL SSL_CTX and extract the certificates ID. It seems impossible,
Openssl not seems to give method fo doing this. So I proposed to
memorize the certificates ID when each certificate is added in a
For the list:
show ssl [proxy/listener]
This command lst all certificates by SNI for a listener. If the
proxy/listener is not precised, the command list availables proxy, and
For the replacement or update, I propose some CLI commands like this:
set ssl certificate begin proxy/listener [sni filters]
This commande creates a new SSL context will be filled with the
following commands. If a previous context exists it is destroyed. This
is incompatible with concurrent access to the cli.
set ssl certificate (any|rsa|ecdsa|dsa)
<dump PEM certificate containg cert, intermediates and private key>
The difficulty is to mark the end of the certificate, so I propose to
mark en end with the string "\nEOF\n".
set ssl certificate commit
This command validates, install new certificates and remove old
And finaly this command destroy existing certificate:
del ssl certificate proxy/listener id
Any ideas or comments ?
m: +33 6 68 69 21 85 | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/ | b: http://blog.ozon.io/