Hi list,

I have for projet to write a dynamic update of the SSL certificates. I
encountered some cases where haproxy deals with many websites, and it
should ne great if we can replace / add certificate without restarting

I'm looking for some opinions or advices.

I need to:

 - list the currently loaded certificates ID (embedding ECDSA).

 - add or replace certificates embedding the 3 certificates version
   RSA/DSA/ECDSA and the sni filter.

 - Delete SNI entries (and the certificates if it is the last one)

For the listing of the certificate, I need to scan the content of  the
OpenSSL SSL_CTX and extract the certificates ID. It seems impossible,
Openssl not seems to give method fo doing this. So I proposed to
memorize the certificates ID when each certificate is added in a

For the list:

   show ssl [proxy/listener]

This command lst all certificates by SNI for a listener. If the
proxy/listener is not precised, the command list availables proxy, and

For the replacement or update, I propose some CLI commands like this:

   set ssl certificate begin proxy/listener [sni filters]

This commande creates a new SSL context will be filled with the
following commands. If a previous context exists it is destroyed. This
is incompatible with concurrent access to the cli.

   set ssl certificate (any|rsa|ecdsa|dsa)
   <dump PEM certificate containg cert, intermediates and private key>

The difficulty is to mark the end of the certificate, so I propose to
mark en end with the string "\nEOF\n".

   set ssl certificate commit

This command validates, install new certificates and remove old

And finaly this command destroy existing certificate:

   del ssl certificate proxy/listener id

Any ideas or comments ?


Thierry Fournier
m: +33 6 68 69 21 85      | e: thierry.fourn...@ozon.io
w: http://www.ozon.io/    | b: http://blog.ozon.io/

Reply via email to