Intermediate client CA


#1

Question regading the configuration of client certificate authentication.
Using the “ca-file” I can specify a CA that issues approved client certificates,
but what if that is an intermediate CA? How do I configure the trusted root CA?
I don’t want to allow client certificates issued directly from the root ca…
Eg, I have an intermediate CA called “Client Sub CA”, that is signed by "Root CA"
If I only specify the “Client Sub CA” in the ca-file haproxy cannot build a complete chain since it
does not know about “Root CA”, but if I concatenate “Root CA” into the ca-file it also
accepts client-certificates issued directly from the “Root CA”.
Is it possible to only accept client certificates issued from “Client Sub CA”?
Ie use a separate ca-bundle for complementary ca-certs (like /etc/pki which haproxy does not seem to use)?


#2

Did you actually try that or are you assuming? Seams strange to me.


#3

Yes, ofcourse I tried it.
And yes, I think it is strange as well, you should be able to specify client CAs and trusted CAs independantly of each other.


#4

Does it work when using the intermediate CA and “ca-ignore-err all” is set? If yes, then set:

http-request set-header X-SSL-Client-Verify %[ssl_c_verify]

And check what error code haproxy is returning (you will see it in the HTTP header towards your backend. Or you can also log this, with the custom log format.