Why is the server certificate combined with the root certificate from the CA bundle in haproxy

1.2k views Asked by At

On our servers we use haproxy for checking client-side certificates. We build a ca-bundle file by combining the G1 and EV intermediate certificates and the G1 and EV root certificates. We also have a server certificate without the intermediate certificates in it.

Now we have a problem. When a user makes a call to the server with a client certificate it works fine. But the problem is when the server certificate is returned this certificate also contains the intermediate certificates AND the root certificate. We should only return our certificate with the intermediate certificates AND NOT the root certificate.

To enable the ssl we use this haproxy config option:

frontend https
    mode http
    bind *:443 accept-proxy ssl verify optional crt-ignore-err all crt <SERVER-CERT>.pem-key ca-file <COMBINDED-CERTS>.ca-bundle crl-file <CRL-FILE>.crl

    default_backend ssl-proxy

    # rest of the configuration

We have tried removing the root certificates from the CA bundle and this resulted in the root certificate not being added to the server certificate, but when removed from the CA bundle client certificates cannot be checked. This option is not usable.

The question now is why is this happening and how can it be changed that the root certificate won’t be added to the server certificate.

1

There are 1 answers

0
dcorbett On BEST ANSWER

I believe what you are looking for is ca-verify-file, which was introduced in HAProxy 2.2.

ca-verify-file

This setting designates a PEM file from which to load CA certificates used to verify client's certificate. It designates CA certificates which must not be included in CA names sent in server hello message. Typically, "ca-file" must be defined with intermediate certificates, and "ca-verify-file" with certificates to ending the chain, like root CA.