How to manage huge number of dynamic certificates with HAProxy?

Hi,

I am using HAProxy and I have crt-list configured (bind :443 ssl crt-list /etc/haproxy/crt-list.txt) to load certificates from a directory (i handle certificates of multiple domains) and I route according to the url pattern. Everything works well as expected.

As I understand, when HAProxy server comes up, it will read all certificates from directory and will be stored in memory / cache. For new certificates need to be added / existing need to be modified, API can be used. In this scenario, I am little concerned about the performance, like when more certificates comes up (I am thinking in a futuristic way, handling 10000s of certificates), how to balance load and all. Also, crt-list file will get populated by too many entries, which becomes really hard to manage.

Somebody kindly tell me, what all needs to be considered and how to address the situation?

Thanks in advance.

Put the certificates into a directory and point crt to that directory path.

1 Like

@lukastribus thanks for the suggestion :+1:

Do you have any advice regarding handling the load, improve efficiency, and minimize response time?

Thanks.

You need enough RAM and you also need to know that during the reload and until the old process is closed (which can take some time when old connection lurk around) you need twice the RAM. If an old process of a prior reload still runs, you need 3x the amount of RAM and so on.

So you need to carefully plan RAM usage based on the number of certificates, maxconn values and other features, combined with the amount of parallel instances may be running due to reloads.

thanks @lukastribus :pray: