On our servers we use haproxy for checking client-side certificates. We build a ca-bundle file by combining the G1 and EV intermediate certificates and the G1 and EV root certificates. We also have a server certificate without the intermediate certificates in it.
Now we have a problem. When a user makes a call to the server with a client certificate it works fine. But the problem is when the server certificate is returned this certificate also contains the intermediate certificates AND the root certificate. We should only return our certificate with the intermediate certificates AND NOT the root certificate.
To enable the ssl we use this haproxy config option:
frontend https
mode http
bind *:443 accept-proxy ssl verify optional crt-ignore-err all crt <SERVER-CERT>.pem-key ca-file <COMBINDED-CERTS>.ca-bundle crl-file <CRL-FILE>.crl
default_backend ssl-proxy
# rest of the configuration
We have tried removing the root certificates from the CA bundle and this resulted in the root certificate not being added to the server certificate, but when removed from the CA bundle client certificates cannot be checked. This option is not usable.
The question now is why is this happening and how can it be changed that the root certificate won’t be added to the server certificate.
I believe what you are looking for is
ca-verify-file
, which was introduced in HAProxy 2.2.