Is it possible, given HAProxy 2.2 update, to add new CA certificates (for client certs validation), along with SSL server certificates, via Realitme API?
For each new customer I’d like to add one line to crt-list file e.g.
customer1.pem [ca-file customer1CA.crt verify required] customer1.example.com customer2.pem [ca-file customer2CA.crt verify required] customer2.example.com
No, that is not possible, you can only replace certificates used for ssl termination, not for SSL client cert validation.
Normally you’d have 1x root CA, and if you need to further restrict it, you’d use intermediate CA from that root CA.
Thanks, it has saved me some time for testing myself In the mean time I’ve found other solution which seems to work OK in my case: Truly Seamless Reloads with HAProxy – No More Hacks!