When using client SSL authentication with multiple CAs how should the CRL be constructed?


#1

A rather odd set of project requirements means I need to implement client SSL authentication using multiple CAs; there will be a mixture of commercial SSL providers and private CAs.

Adding all the relevant root CAs to a single file works fine, unless I add the crl-file directive; once I do that I can’t get a client certificate to work unless I put the client cert’s intermediate cert into my root CA file, which isn’t a practical approach.

How should I be setting up the certificate revocation file for this situation? All the information I can find on client auth with CRL assumes a single root CA is in use.

Is there a trick to combining all the CRLs to make this scenario work?

(currently using haproxy 1.5 on Centos 7.4)


#2

After some more testing: if the root CA is placed in the CA file and the root AND intermediate CRLs in pem format are combined into the the CRL file then client SSL works, but this requires every intermediate CRL file to be included. If the root CRL is missing then the error is “www-https/1: SSL client certificate not trusted” while leaving out the intermediate CRL gives “SSL client CA chain cannot be verified”

Is there a way to tell haproxy “if it’s not in the CRL assume a certificate is good instead of failing it”?


#3

I managed to figure this out. For anyone who finds this while searching for their own answer:

  • To make the combined CRL file take every CRL file in base64 encoded PEM format and join them together. Order doesn’t matter. Include root and intermediate CRLs if you want both to be used.

  • In the haproxy.cfg bind line add “crt-ignore-err 3 ca-ignore-err 3” which will ignore missing CRLs; this stops authentication from failing if you don’t have the exact needed CRL installed.

crt-ignore-err is for the cert, ca-ignore-error is for the intermediate and root certs, and code 3 is “X509_V_ERR_UNABLE_TO_GET_CRL” which is undocumented but can be looked up in the source code: