@linenoise wrote:
Question regading the configuration of client certificate authentication.
Using the “ca-file” I can specify a CA that issues approved client certificates,
but what if that is an intermediate CA? How do I configure the trusted root CA?
I don’t want to allow client certificates issued directly from the root ca…
Eg, I have an intermediate CA called “Client Sub CA”, that is signed by "Root CA"
If I only specify the “Client Sub CA” in the ca-file haproxy cannot build a complete chain since it
does not know about “Root CA”, but if I concatenate “Root CA” into the ca-file it also
accepts client-certificates issued directly from the “Root CA”.
Is it possible to only accept client certificates issued from “Client Sub CA”?
Ie use a separate ca-bundle for complementary ca-certs (like /etc/pki which haproxy does not seem to use)?
Posts: 1
Participants: 1