Hi. I would like to configure HAProxy to allow multiple CRL's. First, for testing I created my own CA. I created a server cert and signed it. I created a client cert and signed it. I created a CRL.
I setup HAProxy like: bind *:443 ssl crt server.crt ca-file my_ca.crt crl-file my_ca.crl That worked fine. The ssl connection prompted me for a cert signed by the CA present in the ca.crt file. I could give it a valid cert, an expired cert and a revoked cert and they all worked as expected. Then I tried integrating with an external CA for which I have a valid client cert, the CA cert and the CA CRL. I concatenated the CA certs to a combined.crt file. Then I concatenated the CRL files to a combined.crl file even though I have read posts that say that invalidates the CRL. There are other posts that say that should work. My HAProxy config is now: bind *:443 ssl crt server.crt ca-file combined.crt crl-file combined.crl The interface will accept a client cert signed by my own CA. If I don't specify a CRL it will also accept a client cert signed by the external CA. But, if I specify the crl-file, it will not accept the client cert from the external CA. I tried using just the external CA cert and the external CRL: bind *:443 ssl crt server.crt ca-file external.crt crl-file external.crl That will not work either. The error in both cases is "SSL client CA chain cannot be verified" But I only get that if I specify the crl-file. I Any help is appreciated! Thanks. Mike
