Intermediate client CA


Question regading the configuration of client certificate authentication.
Using the “ca-file” I can specify a CA that issues approved client certificates,
but what if that is an intermediate CA? How do I configure the trusted root CA?
I don’t want to allow client certificates issued directly from the root ca…
Eg, I have an intermediate CA called “Client Sub CA”, that is signed by "Root CA"
If I only specify the “Client Sub CA” in the ca-file haproxy cannot build a complete chain since it
does not know about “Root CA”, but if I concatenate “Root CA” into the ca-file it also
accepts client-certificates issued directly from the “Root CA”.
Is it possible to only accept client certificates issued from “Client Sub CA”?
Ie use a separate ca-bundle for complementary ca-certs (like /etc/pki which haproxy does not seem to use)?


Did you actually try that or are you assuming? Seams strange to me.


Yes, ofcourse I tried it.
And yes, I think it is strange as well, you should be able to specify client CAs and trusted CAs independantly of each other.


Does it work when using the intermediate CA and “ca-ignore-err all” is set? If yes, then set:

http-request set-header X-SSL-Client-Verify %[ssl_c_verify]

And check what error code haproxy is returning (you will see it in the HTTP header towards your backend. Or you can also log this, with the custom log format.