haproxytechblog/blog20220805-01.sh

## blog20220805-01.sh
$ openssl req \
    -newkey rsa:2048 \
    -nodes \
    -x509 \
    -days 3650 \
    -keyout root-ca.key \
    -out root-ca.crt

## blog20220805-02.sh
$ openssl x509 -noout -text -in root-ca.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:4d:04:cf:6e:42:4a:87:dc:6f:5d:54:c6:f6:cd:db:70:92:28:47
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-root-ca, emailAddress = admin@acme.com
        Validity
            Not Before: Aug  4 16:40:01 2022 GMT
            Not After : Aug  1 16:40:01 2032 GMT
        Subject: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-root-ca, emailAddress = admin@acme.com

## blog20220805-03.sh
$ openssl req \
   -newkey rsa:2048 \
   -nodes \
   -days 3650 \
   -keyout intermediate-ca.key \
   -out intermediate-ca.csr

## blog20220805-04.cfg
basicConstraints = CA:TRUE
keyUsage = keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

## blog20220805-05.sh
$ openssl x509 \
   -req \
   -in intermediate-ca.csr \
   -out intermediate-ca.crt \
   -CA root-ca.crt \
   -CAkey root-ca.key \
   -CAcreateserial \
   -days 3650 \
   -extfile ca-cert-extensions.cnf

## blog20220805-06.sh
$ openssl x509 -noout -text -in intermediate-ca.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            11:b3:9f:da:c5:fb:fc:20:69:a5:19:42:f9:58:d0:80:49:39:24:ba
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-root-ca, emailAddress = admin@acme.com
        Validity
            Not Before: Aug  4 17:02:49 2022 GMT
            Not After : Aug  1 17:02:49 2032 GMT
        Subject: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-intermediate-ca, emailAddress = admin@acme.com

## blog20220805-07.sh
$ openssl req \
   -newkey rsa:2048 \
   -nodes \
   -days 365 \
   -subj "/CN=scanner/O=warehouse" \
   -keyout client.key \
   -out client.csr

## blog20220805-08.cfg
basicConstraints = CA:FALSE
keyUsage = digitalSignature
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer

## blog20220805-09.sh
$ openssl x509 \
   -req \
   -in client.csr \
   -out client.crt \
   -CA intermediate-ca.crt \
   -CAkey intermediate-ca.key \
   -CAcreateserial \
   -days 365 \
   -extfile client-cert-extensions.cnf

## blog20220805-10.sh
$ openssl x509 -noout -text -in client.crt

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            40:6c:b9:0e:20:da:e5:b9:4d:b3:a4:88:84:0f:4c:72:08:40:86:83
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-intermediate-ca, emailAddress = admin@acme.com
        Validity
            Not Before: Aug  4 17:27:17 2022 GMT
            Not After : Aug  4 17:27:17 2023 GMT
        Subject: CN = scanner, O = warehouse

## blog20220805-11.cfg
frontend mysite
  bind 192.168.56.20:80
  bind 192.168.56.20:443  ssl crt /etc/haproxy/certs/ssl.crt verify required ca-file /etc/haproxy/certs/intermediate-ca.crt ca-verify-file /etc/haproxy/certs/root-ca.crt
  http-request redirect scheme https unless { ssl_fc }
  default_backend apiservers

## blog20220805-12.sh
$ curl -v https://192.168.56.20

* TLSv1.3 (IN), TLS alert, unknown (628):
* OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
* Failed receiving HTTP2 data
* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
* Failed sending HTTP2 data
* Connection #0 to host 192.168.56.20 left intact
curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0

## blog20220805-13.sh
$ curl -v \
   --cert client.crt \
   --key client.key \
   https://192.168.56.20

* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Request CERT (13):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Certificate (11):
* TLSv1.3 (OUT), TLS handshake, CERT verify (15):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384

## blog20220805-14.cfg
backend apiservers
   server server1 192.168.56.30:443 ssl  verify required  ca-file @system-ca  crt /etc/haproxy/certs/haproxy.crt
	$ openssl req \
	-newkey rsa:2048 \
	-nodes \
	-x509 \
	-days 3650 \
	-keyout root-ca.key \
	-out root-ca.crt
	$ openssl x509 -noout -text -in root-ca.crt

	Certificate:
	Data:
	Version: 3 (0x2)
	Serial Number:
	10:4d:04:cf:6e:42:4a:87:dc:6f:5d:54:c6:f6:cd:db:70:92:28:47
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-root-ca, emailAddress = admin@acme.com
	Validity
	Not Before: Aug 4 16:40:01 2022 GMT
	Not After : Aug 1 16:40:01 2032 GMT
	Subject: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-root-ca, emailAddress = admin@acme.com
	basicConstraints = CA:TRUE
	keyUsage = keyCertSign, cRLSign
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	$ openssl x509 \
	-req \
	-in intermediate-ca.csr \
	-out intermediate-ca.crt \
	-CA root-ca.crt \
	-CAkey root-ca.key \
	-CAcreateserial \
	-days 3650 \
	-extfile ca-cert-extensions.cnf
	$ openssl x509 -noout -text -in intermediate-ca.crt

	Certificate:
	Data:
	Version: 3 (0x2)
	Serial Number:
	11:b3:9f:da:c5:fb:fc:20:69:a5:19:42:f9:58:d0:80:49:39:24:ba
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-root-ca, emailAddress = admin@acme.com
	Validity
	Not Before: Aug 4 17:02:49 2022 GMT
	Not After : Aug 1 17:02:49 2032 GMT
	Subject: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-intermediate-ca, emailAddress = admin@acme.com
	basicConstraints = CA:FALSE
	keyUsage = digitalSignature
	extendedKeyUsage = clientAuth
	subjectKeyIdentifier = hash
	authorityKeyIdentifier = keyid,issuer
	$ openssl x509 \
	-req \
	-in client.csr \
	-out client.crt \
	-CA intermediate-ca.crt \
	-CAkey intermediate-ca.key \
	-CAcreateserial \
	-days 365 \
	-extfile client-cert-extensions.cnf
	$ openssl x509 -noout -text -in client.crt

	Certificate:
	Data:
	Version: 3 (0x2)
	Serial Number:
	40:6c:b9:0e:20:da:e5:b9:4d:b3:a4:88:84:0f:4c:72:08:40:86:83
	Signature Algorithm: sha256WithRSAEncryption
	Issuer: C = US, ST = OH, L = Columbus, O = Acme, CN = acme-intermediate-ca, emailAddress = admin@acme.com
	Validity
	Not Before: Aug 4 17:27:17 2022 GMT
	Not After : Aug 4 17:27:17 2023 GMT
	Subject: CN = scanner, O = warehouse
	frontend mysite
	bind 192.168.56.20:80
	bind 192.168.56.20:443 ssl crt /etc/haproxy/certs/ssl.crt verify required ca-file /etc/haproxy/certs/intermediate-ca.crt ca-verify-file /etc/haproxy/certs/root-ca.crt
	http-request redirect scheme https unless { ssl_fc }
	default_backend apiservers
	$ curl -v https://192.168.56.20

	* TLSv1.3 (IN), TLS alert, unknown (628):
	* OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0
	* Failed receiving HTTP2 data
	* OpenSSL SSL_write: SSL_ERROR_ZERO_RETURN, errno 0
	* Failed sending HTTP2 data
	* Connection #0 to host 192.168.56.20 left intact
	curl: (56) OpenSSL SSL_read: error:1409445C:SSL routines:ssl3_read_bytes:tlsv13 alert certificate required, errno 0