Hi, My question may have been a little misleading: To be clear: The HAproxy config is PEM only for both the server certificate and the CA-file for client certificates.
The issue is that the client uses a p7b binary certificate and chain to connect to HAproxy. HAproxy then responds with a “unknown CA” error, even though the root of the client certificate is part of the CA-file. That got me to think HAproxy maybe does not support clients using non-PEM client certificates. But I could not find any source as to what is actually supported. Best regards, D From: Илья Шипицин <chipits...@gmail.com> Date: Monday, 2. August 2021 at 20:14 To: "Froehlich, Dominik" <dominik.froehl...@sap.com> Subject: Re: Supported certificate formats? if you are familiar with Wireshark, I suggest to capture Client Hello <--> Server Hello. certificates are displayed there, so you can see whether haproxy sends its certificate (and chain) or not. my money would be on "if haproxy does not complain on config, so it loaded it properly, including certificates" пн, 2 авг. 2021 г. в 17:28, Froehlich, Dominik <dominik.froehl...@sap.com<mailto:dominik.froehl...@sap.com>>: Hi, We have an issue with a client certificate in DER (binary) encoded PKCS7 format (.p7b). The file contains the full certificate chain and the CA-file at HAproxy matches the root CA of the chain, so it should work. However, the client connecting receives an “unknown CA” alert and HAproxy says “SSL client certificate not trusted” My strong suspicion is that HAproxy only supports PEM (text) encoded CRT format when connecting but I haven’t found a definitive source in the documentation. There are only examples using PEM so assume this is the only supported format. Can someone confirm / deny this or point me to a list of supported formats for certificates? Thanks a lot, Dominik
