From: William Lallemand <wlallemand@haproxy.com>
Date: Tue, 13 Feb 2024 15:57:34 +0000 (+0100)
Subject: DOC: configuration: Add 3.12 Certificate Storage
X-Git-Tag: v3.0-dev8~71
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=43b7e267f0216f0588f66ce843ce6a4f6f536436;p=thirdparty%2Fhaproxy.git

DOC: configuration: Add 3.12 Certificate Storage

The 3.12. Certificate Storage section, explain how to configure a
"crt-store" section.
---

diff --git a/doc/configuration.txt b/doc/configuration.txt
index 49f33aa426..51aefb1faa 100644
--- a/doc/configuration.txt
+++ b/doc/configuration.txt
@@ -59,6 +59,7 @@ Summary
 3.9.      Rings
 3.10.     Log forwarding
 3.11.     HTTPClient tuning
+3.12.     Certificate Storage
 
 4.    Proxies
 4.1.      Proxy keywords matrix
@@ -4717,6 +4718,60 @@ httpclient.timeout.connect <timeout>
 
   The default value is 5000ms.
 
+
+3.12. Certificate Storage
+-------------------------
+
+HAProxy uses an internal storage mecanism to load and store certificates used
+in the configuration. This storage can be configured by using a "crt-store"
+section. It allows to configure certificate definitions and which files should
+be loaded in it. A certificate definition must be written before it is used
+elsewhere in the configuration.
+
+Files in the certificate storage can also be updated dynamically with the CLI.
+See "set ssl cert" in the section 9.3 of the management guide.
+
+Currently only the "load" keyword is supported in the "crt-store" section:
+
+load [crt <filename>] [param*]
+  Load SSL files in the certificate storage.
+
+  Arguments:
+
+    crt <filename>     This argument is mandatory, it loads a PEM which must
+                       contain the public certificate but could also contain
+                       the intermediate certificates and the private key.
+                       If no private key is provided in this file, a key can be
+                       provided with the "key" keyword.
+
+    key <filename>     This argument is optional. Load a private key in PEM
+                       format. If a private key was already defined in "crt",
+                       it will overwrite it.
+
+    ocsp <filename>    This argument is optional, it loads an OCSP response in
+                       DER format. It can be updated with the CLI.
+
+    issuer <filename>  This argument is optional. Load the OCSP issuer in PEM
+                       format. In order to identify which certificate an OCSP
+                       Response applies to, the issuer's certificate is necessary.
+                       If the issuer's certificate is not found in the "crt" file,
+                       it could be loaded from a file with this argument.
+
+    sctl <filename>    This argument is optional. Support for Certificate
+                       Transparency (RFC6962) TLS extension is enabled. The file
+                       must contain a valid Signed Certificate Timestamp List,
+                       as described in RFC. File is parsed to check basic syntax,
+                       but no signatures are verified.
+
+Example:
+
+    crt-store
+        load crt "site1.crt" key "site1.key" ocsp "site1.ocsp"
+        load crt "site2.crt" key "site2.key"
+
+    frontend in
+        bind *:443 ssl crt "site1.crt" crt "site2.crt"
+
 4. Proxies
 ----------