A rather odd set of project requirements means I need to implement client SSL authentication using multiple CAs; there will be a mixture of commercial SSL providers and private CAs.
Adding all the relevant root CAs to a single file works fine, unless I add the crl-file directive; once I do that I can’t get a client certificate to work unless I put the client cert’s intermediate cert into my root CA file, which isn’t a practical approach.
How should I be setting up the certificate revocation file for this situation? All the information I can find on client auth with CRL assumes a single root CA is in use.
Is there a trick to combining all the CRLs to make this scenario work?
(currently using haproxy 1.5 on Centos 7.4)