HAProxy community

Ssl_client_certificate and ssl_verify_client to haproxy


Hello guys,

I’m having a hard time trying to convert this snipet from nginx to haproxy:

    ### SSL cert files ###
    ssl                  on;
    ssl_certificate      /keys/xxx.com.pem;
    ssl_certificate_key  /keys/xxx.com.key;
    ssl_client_certificate /keys/client_certs.crt;
    ssl_verify_client on;
    ssl_verify_depth 2;

The goal is to require client to be authenticated through certificate listed in “client_certs.crt”.

Coud you please help with the equivalent in haproxy?



In order to verify client certificates in HAProxy, you need to set the “verify” option to “required”. The certificates provided by the client are to be verified using a CA listed in “ca-file”, which is a PEM file containing CA certificates.

For you to implement the nginx snippet in HAProxy, you would need to make below changes in the frontend section of haproxy.cfg:

	frontend example_FE
		mode http
		bind *:443 ssl crt /keys/xxx.com.pem ca-file /keys/client_certs.crt verify required
		default-backend example_BE

Also, as far as i am aware, haproxy does not support limiting client ssl certificate verification depth. Therefore, ssl_verify_depth is not configured in the above haproxy configuration.

Hope this is helpful !



Regarding the ssl verification depth, haproxy veryfies the entire chain. You can access variables like ssl_c_ca_err_depth or ssl_c_ca_err to understand what error happen on what depth.

You can also choose to ignore certain errors with ca-ignore-err.

None of this should be necessary though, as by default haproxy verifies the full chain, which you probably expect.


Thanks guys! I’m using:

    bind :11001 transparent ssl crt bla.crt ca-file bla.crt verify required crl-file client_certs.crt crt-ignore-err all

And is working!