On 4/29/22 11:16, Henning Svane wrote:
I have tried to build a PEM Certificate, but with no luck.
What should it include and in which order?
I use certs issued by LetsEncrypt.
My certificate file that I use for haproxy and most other software doing
TLS has four PEM-encoded items in it:
Server cert
LetsEncrypt Issuing cert
Private Key
DH Params
The file is owned by root and has 600 permissions.
The only thing that might be important there as far as order would be to
have the server cert before the issuing cert.
You do not normally need to include the CA's root certificate in the
file -- the browser already has root certificates for any authority that
it trusts ... that is how trust is established. Unless you created the
cert yourself, what you want to have in your file is certs for the
entire trust chain *EXCEPT* for the root cert.
Most software will ignore DH Params in the certificate file. It is my
understanding that haproxy actually uses it. So each cert file that I
employ gets its own 4096 bit DH Params. My cert is also 4096 bit.
Thanks,
Shawn
