HAProxy community

Hot-update client CA certificates via Runtime API

Is it possible, given HAProxy 2.2 update, to add new CA certificates (for client certs validation), along with SSL server certificates, via Realitme API?

For each new customer I’d like to add one line to crt-list file e.g.

customer1.pem [ca-file customer1CA.crt verify required] customer1.example.com
customer2.pem [ca-file customer2CA.crt verify required] customer2.example.com

No, that is not possible, you can only replace certificates used for ssl termination, not for SSL client cert validation.

Normally you’d have 1x root CA, and if you need to further restrict it, you’d use intermediate CA from that root CA.

Thanks, it has saved me some time for testing myself :wink:
In the mean time I’ve found other solution which seems to work OK in my case:
Truly Seamless Reloads with HAProxy – No More Hacks!