Gitiles
Code Review Sign In
git01.mediatek.com / haproxy / 70df7bf19cebd5593c0abb01923e6c9f72961da6^! / . / doc / configuration.txt
commit70df7bf19cebd5593c0abb01923e6c9f72961da6[log] [tgz]
authorEmmanuel Hocdet <manu@gandi.net>Fri Jan 04 11:08:20 2019 +0100
committerWilliam Lallemand <wlallemand@haproxy.org>Tue Feb 18 14:33:05 2020 +0100
tree56d73656df0013e3e06b74d3eba2f592fc98e80c
parent23997daf4e23290c515014cedd04e3419029fb7b [diff] [blame]
MINOR: ssl: add "issuers-chain-path" directive.

Certificates loaded with "crt" and "crt-list" commonly share the same
intermediate certificate in PEM file. "issuers-chain-path" is a global
directive to share intermediate chain certificates in a directory. If
certificates chain is not included in certificate PEM file, haproxy
will complete chain if issuer match the first certificate of the chain
stored via "issuers-chain-path" directive. Such chains will be shared
in memory.

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 306d639..6b8437b 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt

@@ -601,6 +601,7 @@
    - h1-case-adjust-file
    - insecure-fork-wanted
    - insecure-setuid-wanted
+   - issuers-chain-path
    - log
    - log-tag
    - log-send-hostname
@@ -949,6 +950,19 @@
   explicitly adding this directive in the global section. If enabled, it is
   possible to turn it back off by prefixing it with the "no" keyword.
 
+issuers-chain-path <dir>
+  Assigns a directory to load certificate chain for issuer completion. All
+  files must be in PEM format. For certificates loaded with "crt" or "crt-list",
+  if certificate chain is not included in PEM (also commonly known as
+  intermediate certificate), haproxy will complete chain if the issuer of the
+  certificate corresponds to the first certificate of the chain loaded with
+  "issuers-chain-path".
+  A "crt" file with PrivateKey+Certificate+IntermediateCA2+IntermediateCA1
+  could be replaced with PrivateKey+Certificate. HAProxy will complete the
+  chain if a file with IntermediateCA2+IntermediateCA1 is present in
+  "issuers-chain-path" directory. All other certificates with the same issuer
+  will share the chain in memory.
+
 log <address> [len <length>] [format <format>] [sample <ranges>:<smp_size>]
     <facility> [max level [min level]]
   Adds a global syslog server. Several global servers can be defined. They
@@ -11309,7 +11323,8 @@
   associated private keys. This file can be built by concatenating multiple
   PEM files into one (e.g. cat cert.pem key.pem > combined.pem). If your CA
   requires an intermediate certificate, this can also be concatenated into this
-  file.
+  file. Intermediate certificate can also be shared in a directory via
+  "issuers-chain-path" directive.
 
   If the OpenSSL used supports Diffie-Hellman, parameters present in this file
   are loaded.