Hi,
Yes. Show the chain-filename would be very helpful. For that i think a good way would be to keep ckch->chain and ckch->issuer with value (or NULL) from PEM/<payload>, and resolve chain and ocsp_issuer when needed. « show ssl cert » will be able to find the origin of chain (and ocsp_issuer) without store a new state. The drawback(?) is that .issuer file will be loaded, in every case, if present.
Patch series to do that:
example: Issuer: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Chain filename: /etc/haproxy/issuers/letsencryptEC.pem
Rebased with current dev branch.
++ Manu
|
0001-MINOR-ssl-move-find-certificate-chain-code-to-its-ow.patch
Description: Binary data
0002-MINOR-ssl-resolve-issuers-chain-later.patch
Description: Binary data
0003-MINOR-ssl-resolve-ocsp_issuer-later.patch
Description: Binary data
0004-MINOR-ssl-show-ssl-cert-command-should-print-the-Cha.patch
Description: Binary data