I am setting up haproxy as an SSL terminator/load balancer in front of an API that we need to expose over the internet to a customer.
The plan was to use mutual (2-way) SSL/HTTPS to verify that both parties are who they are since there is no further authentication on the API itself. On top of this we will also utilize an IP whitelist.
Now the customer has given us a certificate that both parties use for both server and client certificates, this certificate is signed by a 'common' CA (DigiCert). While I understand this is good from a client perspective, as the certificate is also compared to the hostname of the server it's accessing, however the other way around doesn't seem to be that safe (at least not with haproxy)
The way I understand it currently, I have to tell HAProxy to trust certificates signed by Digicert by using the 'ca-file' directive, however, there is no way to tell it that on top of that it also needs to be a specific client certificate, because I don't want to trust all client certificates signed by DigiCert.
Is there a way to do this with HAProxy? If not, I guess the only way forward would be to make self-signed client certificates for both sides and exchange them (or rather, certificate signing requests, and have the other party sign them).
Or is my understanding of the whole client certificate concept just wrong?