These are some rough notes for deploying a test/dev local CA, a server key/cert, and a client key/cert. The intention is to provide a quick and dirty (don't use in production) local CA with one server and one client. HAProxy is used as an SSL terminator which forces SSL for all connections (via http redirect), then optionally accepts a client cert for authentication.
Follow the install guide for easy-rsa (https://github.com/OpenVPN/easy-rsa)
./easyrsa init-pki
./easyrsa build-ca
./easyrsa gen-req localhost
!!Notice the 'server' param!!
./easyrsa sign-req server localhost
./easyrsa gen-req user001
!!Notice the 'client' param!!
./easyrsa sign-req client user001
openssl rsa -in crypted.key -out decrypted.key
easy-rsa crt files contain both the text and cert parts. For ease of use, copy just the PEM key part to a new file. Use this PEM key for all operations referenced below.
HAProxy requires the server cert/key to be in PEM format. Be sure the key is decrypted and the cert is extracted from the file genereated.
cat ../private/localhost.key ../certs/localhost.crt ../certs/ca.crt > localhost.pem
Below are the relevant parts to implement basic SSL and auth. This is not a complete haproxy.cfg file. Place key/cert files in proper directories as referenced in the config file.
### haproxy.cfg
## Global Section
global
# Default SSL material locations
ca-base /tls/certs
crt-base /tls/private
# Secure SSL/TLS configs
ssl-default-bind-ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS:!RC4
ssl-default-bind-options no-sslv3 no-tlsv10
tune.ssl.default-dh-param 4096
## Frontend ssl
frontend haproxy-frontend
bind *:443 ssl crt localhost.pem ca-file ca.crt verify optional ## or: required
##
## This section can be used to enforce SSL client certs
## based on paths, acls, etc...
##
## Identify admin path
acl path_admin path_reg ^/admin(?:[/])?$
acl path_data path_reg ^/data(?:[/])?$
## Tag all 'write' methods
acl write_method method POST DELETE PUT
## Block access to admin and data paths if no client cert
## note the use of 'ssl_c_used'
http-request deny if path_admin !{ ssl_c_used }
http-request deny if path_data !{ ssl_c_used }
## force https; PFS
redirect scheme https if !{ ssl_fc }
rspadd Strict-Transport-Security:\ max-age=31536000;\ includeSubDomains;\ preload if secure
rsprep ^Set-Cookie:\ (.*) Set-Cookie:\ \1;\ Secure if secure