Le 04/09/2015 23:32, Michael Rennecke a écrit :
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hallo,
is it possible with HAProxy to generate a certificate for each
incoming hostname on the fly? I will use subca for HAProxy. I think to
generate the certificates on the fly is cooler, then a certificate for
each hostname.
I found possibilities to generate the certificate, but this doesn't
work :-(
bind unix@/var/run/haproxy_ssl_ecc.sock accept-proxy ssl crt
/etc/haproxy/ecc_star.rennecke.dyndns.dk.pem ca-sign-file
/etc/haproxy/ecc_subca.pem ecdhe secp521r1 user nobody
generate-certificates
ecc_subca.pem included the the subca and the key. The key has no pass
phrase. I will balance some other (fun) TLDs with haproxy - my small
home automation project
Hi Michael,
The "genereate-certificates" option creates certificates on the fly, but
only for clients using TLS SNI extension to set the remote hostname. So
be sure that your clients use it.
--
Christopher Faulet
